popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

hv.exe

.NET framework(MSIL) Malicious Library Admin Tool (Sysinternals etc ...) UPX PWS AntiDebug PNG Format PE File DLL OS Processor Check PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 28, 2023, 2:14 p.m. Nov. 28, 2023, 2:17 p.m.
Size 6.1MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 096406c4d94995f150e36fbb4f8fa05b
SHA256 becb1919235c944b0a0112f5d1818b843bc7624f5dd37fd9b617cab1787580eb
CRC32 836F7059
ssdeep 98304:QsTAa4oXoJby9+mAXwO5QTqABVsOhodAPE0pi6:Rka4oXoJby9+mcwRTtBVsOhoT0pi
PDB Path timely_updates_of_textures_and_presets.pdb
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • Is_DotNET_EXE - (no description)
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
138.201.120.172 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 138.201.120.172:15648 -> 192.168.56.103:49164 2029217 ET MALWARE Arechclient2 Backdoor CnC Init Malware Command and Control Activity Detected
TCP 138.201.120.172:15648 -> 192.168.56.103:49168 2029217 ET MALWARE Arechclient2 Backdoor CnC Init Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d84da0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d84da0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d84da0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d84da0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d84d20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d84d20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d84ca0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d84ca0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d84ca0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d84d20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d84da0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d84da0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d85020
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d85020
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00d850e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008c2b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008c2b80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008c2a40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008c2ec0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008c2f80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008c2f80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008c3640
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008c3640
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008c3480
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path timely_updates_of_textures_and_presets.pdb
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .sdata
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003
RtlDeleteBoundaryDescriptor+0x1b RtlAnsiStringToUnicodeString-0x2d ntdll+0x2e688 @ 0x778ce688
RtlMultiByteToUnicodeN+0x11a RtlDeleteBoundaryDescriptor-0xe ntdll+0x2e65f @ 0x778ce65f
EtwEventRegister+0x17f EtwRegisterTraceGuidsW-0xa ntdll+0x3f839 @ 0x778df839
LdrGetProcedureAddressEx+0x11f wcsstr-0x99d ntdll+0x302ea @ 0x778d02ea
LdrGetProcedureAddress+0x18 LdrGetProcedureAddressEx-0x9 ntdll+0x301c2 @ 0x778d01c2
New_ntdll_LdrGetProcedureAddress@16+0xcd New_ntdll_LdrLoadDll@16-0x87 @ 0x7469d3cd
GetProcAddress+0x44 GetVersion-0x38 kernelbase+0x111c4 @ 0x755a11c4
CreateAssemblyNameObject+0xe597 GetMetaDataInternalInterface-0x29ed8 clr+0x3ba30 @ 0x73f9ba30
CoUninitializeEE+0xa200 CreateAssemblyNameObject-0x3a55 clr+0x29a44 @ 0x73f89a44
CoUninitializeEE+0xa149 CreateAssemblyNameObject-0x3b0c clr+0x2998d @ 0x73f8998d
CoUninitializeEE+0xa055 CreateAssemblyNameObject-0x3c00 clr+0x29899 @ 0x73f89899
CoUninitializeEE+0x9fee CreateAssemblyNameObject-0x3c67 clr+0x29832 @ 0x73f89832
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x73f7bcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x73f62ae9
system+0x1eafc4 @ 0x71e2afc4
0x246a069
0x24607f7
system+0x1f9799 @ 0x71219799
system+0x1f92c8 @ 0x712192c8
system+0x1eca74 @ 0x7120ca74
system+0x1ec868 @ 0x7120c868
system+0x1f82b8 @ 0x712182b8
system+0x1ee54d @ 0x7120e54d
system+0x1f70ea @ 0x712170ea
system+0x1e56c0 @ 0x712056c0
system+0x1f8215 @ 0x71218215
system+0x1f6f75 @ 0x71216f75
system+0x1ee251 @ 0x7120e251
system+0x1ee229 @ 0x7120e229
system+0x1ee170 @ 0x7120e170
0xa6a08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a
system+0x1ebc85 @ 0x7120bc85
system+0x1f683b @ 0x7121683b
system+0x1a5e44 @ 0x711c5e44
system+0x1fd8a0 @ 0x7121d8a0
system+0x1fd792 @ 0x7121d792
system+0x1a14bd @ 0x711c14bd
0x246006a
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740274ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74027610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x740b1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x740b1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x740b1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x740b416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e
exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e
exception.instruction: mov eax, dword ptr [esi + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189342
exception.address: 0x778ce39e
registers.esp: 9953496
registers.edi: 81712784
registers.eax: 0
registers.ebp: 9953548
registers.edx: 81712792
registers.ebx: 81712792
registers.esi: 1314315434
registers.ecx: 13893632
1 0 0

__exception__

 stacktrace: 
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f62170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f62195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f621a6
CoUninitializeEE+0x9bdc CreateAssemblyNameObject-0x4079 clr+0x29420 @ 0x73f89420
GetPrivateContextsPerfCounters+0x10ed DllGetActivationFactoryImpl-0x13778 clr+0x8906f @ 0x73fe906f
mscorlib+0x2d866e @ 0x7289866e
mscorlib+0x2d85ca @ 0x728985ca
mscorlib+0x2d7e2a @ 0x72897e2a
mscorlib+0x2d79ea @ 0x728979ea
mscorlib+0x2d74ff @ 0x728974ff
mscorlib+0x2d71c3 @ 0x728971c3
mscorlib+0x2d6c3c @ 0x72896c3c
mscorlib+0x2fcfb1 @ 0x728bcfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f79dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7405db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7405dc8f
mscorlib+0x2fce7e @ 0x728bce7e
mscorlib+0x2fcd8c @ 0x728bcd8c
mscorlib+0x2fcd0b @ 0x728bcd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74085713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740857d5
mscorlib+0x9bc1c8 @ 0x72f7c1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f89df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f89e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740318ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74031bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74183553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74138a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74084e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74084dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746a482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003
RtlDeleteBoundaryDescriptor+0x1b RtlAnsiStringToUnicodeString-0x2d ntdll+0x2e688 @ 0x778ce688
RtlMultiByteToUnicodeN+0x11a RtlDeleteBoundaryDescriptor-0xe ntdll+0x2e65f @ 0x778ce65f
EtwEventRegister+0x17f EtwRegisterTraceGuidsW-0xa ntdll+0x3f839 @ 0x778df839
LdrGetProcedureAddressEx+0x11f wcsstr-0x99d ntdll+0x302ea @ 0x778d02ea
LdrGetProcedureAddress+0x18 LdrGetProcedureAddressEx-0x9 ntdll+0x301c2 @ 0x778d01c2
New_ntdll_LdrGetProcedureAddress@16+0xcd New_ntdll_LdrLoadDll@16-0x87 @ 0x7469d3cd
GetProcAddress+0x44 GetVersion-0x38 kernelbase+0x111c4 @ 0x755a11c4
CreateAssemblyNameObject+0xe597 GetMetaDataInternalInterface-0x29ed8 clr+0x3ba30 @ 0x73f9ba30
CoUninitializeEE+0xa200 CreateAssemblyNameObject-0x3a55 clr+0x29a44 @ 0x73f89a44
CoUninitializeEE+0xa149 CreateAssemblyNameObject-0x3b0c clr+0x2998d @ 0x73f8998d
CoUninitializeEE+0xa055 CreateAssemblyNameObject-0x3c00 clr+0x29899 @ 0x73f89899
CoUninitializeEE+0x9fee CreateAssemblyNameObject-0x3c67 clr+0x29832 @ 0x73f89832
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x73f7bcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x73f62ae9
system+0x1eafc4 @ 0x71e2afc4
0x246a069
0x24607f7
system+0x1f9799 @ 0x71219799
system+0x1f92c8 @ 0x712192c8
system+0x1eca74 @ 0x7120ca74

exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e
exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e
exception.instruction: mov eax, dword ptr [esi + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189342
exception.address: 0x778ce39e
registers.esp: 9948360
registers.edi: 81711352
registers.eax: 81300480
registers.ebp: 9948412
registers.edx: 81711360
registers.ebx: 81711360
registers.esi: 1250840679
registers.ecx: 13893632
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x778ce0d2
RtlAllocateAndInitializeSid+0x2b RtlInitializeSListHead-0x97 ntdll+0x3940d @ 0x778d940d
GetComputerNameA+0x9bd GetFileInformationByHandleEx-0x6f2 kernel32+0x2c09d @ 0x7580c09d
GetComputerNameA+0xaef GetFileInformationByHandleEx-0x5c0 kernel32+0x2c1cf @ 0x7580c1cf
GetComputerNameA+0xab1 GetFileInformationByHandleEx-0x5fe kernel32+0x2c191 @ 0x7580c191
MapViewOfFileEx+0x21 InitializeCriticalSectionEx-0x84 kernel32+0x14ca4 @ 0x757f4ca4
RegOpenKeyExW+0xf6 LocalFree-0x935 kernel32+0x12407 @ 0x757f2407
RegOpenKeyExW+0x21 LocalFree-0xa0a kernel32+0x12332 @ 0x757f2332
New_advapi32_RegOpenKeyExW@20+0x4f New_advapi32_RegQueryInfoKeyA@48-0x173 @ 0x74693ca1
CreateAssemblyNameObject+0xc283 GetMetaDataInternalInterface-0x2c1ec clr+0x3971c @ 0x73f9971c
StrongNameSignatureVerification+0x9a32 GetMetaDataPublicInterfaceFromInternal-0x1e1e clr+0x1934e8 @ 0x740f34e8
StrongNameSignatureVerification+0x9bcc GetMetaDataPublicInterfaceFromInternal-0x1c84 clr+0x193682 @ 0x740f3682
GetMetaDataPublicInterfaceFromInternal+0x641 CopyPDBs-0x2fb clr+0x195947 @ 0x740f5947
GetMetaDataPublicInterfaceFromInternal+0x850 CopyPDBs-0xec clr+0x195b56 @ 0x740f5b56
GetMetaDataPublicInterfaceFromInternal+0x23d CopyPDBs-0x6ff clr+0x195543 @ 0x740f5543
StrongNameSignatureVerification+0x839b GetMetaDataPublicInterfaceFromInternal-0x34b5 clr+0x191e51 @ 0x740f1e51
StrongNameSignatureVerification+0x854e GetMetaDataPublicInterfaceFromInternal-0x3302 clr+0x192004 @ 0x740f2004
mscorlib+0x355147 @ 0x72915147
mscorlib+0x985c14 @ 0x72f45c14
mscorlib+0x9b45cf @ 0x72f745cf
mscorlib+0xd224c1 @ 0x732e24c1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f79dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7405db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7405dc8f
mscorlib+0x2fce7e @ 0x728bce7e
mscorlib+0x2fcd8c @ 0x728bcd8c
mscorlib+0x2fcd0b @ 0x728bcd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74085713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740857d5
mscorlib+0x9bc1c8 @ 0x72f7c1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f89df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f89e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740318ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74031bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74183553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74138a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74084e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74084dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746a482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f62170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f62195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f621a6
CoUninitializeEE+0x9bdc CreateAssemblyNameObject-0x4079 clr+0x29420 @ 0x73f89420
GetPrivateContextsPerfCounters+0x10ed DllGetActivationFactoryImpl-0x13778 clr+0x8906f @ 0x73fe906f
mscorlib+0x2d866e @ 0x7289866e
mscorlib+0x2d85ca @ 0x728985ca
mscorlib+0x2d7e2a @ 0x72897e2a
mscorlib+0x2d79ea @ 0x728979ea
mscorlib+0x2d74ff @ 0x728974ff
mscorlib+0x2d71c3 @ 0x728971c3
mscorlib+0x2d6c3c @ 0x72896c3c
mscorlib+0x2fcfb1 @ 0x728bcfb1

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b f8 0b da 89
exception.symbol: RtlInitUnicodeString+0xec RtlMultiByteToUnicodeN-0x251 ntdll+0x2e2f4
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189172
exception.address: 0x778ce2f4
registers.esp: 9939984
registers.edi: 21
registers.eax: 82142200
registers.ebp: 9940116
registers.edx: 13924400
registers.ebx: 258
registers.esi: 82142208
registers.ecx: 81300488
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x778ce0d2
RtlAllocateAndInitializeSid+0x2b RtlInitializeSListHead-0x97 ntdll+0x3940d @ 0x778d940d
GetComputerNameA+0x9bd GetFileInformationByHandleEx-0x6f2 kernel32+0x2c09d @ 0x7580c09d
GetComputerNameA+0xaef GetFileInformationByHandleEx-0x5c0 kernel32+0x2c1cf @ 0x7580c1cf
GetComputerNameA+0xab1 GetFileInformationByHandleEx-0x5fe kernel32+0x2c191 @ 0x7580c191
MapViewOfFileEx+0x21 InitializeCriticalSectionEx-0x84 kernel32+0x14ca4 @ 0x757f4ca4
RegOpenKeyExW+0xf6 LocalFree-0x935 kernel32+0x12407 @ 0x757f2407
RegOpenKeyExW+0x21 LocalFree-0xa0a kernel32+0x12332 @ 0x757f2332
New_advapi32_RegOpenKeyExW@20+0x4f New_advapi32_RegQueryInfoKeyA@48-0x173 @ 0x74693ca1
CreateAssemblyNameObject+0xc283 GetMetaDataInternalInterface-0x2c1ec clr+0x3971c @ 0x73f9971c
StrongNameSignatureVerification+0x9a32 GetMetaDataPublicInterfaceFromInternal-0x1e1e clr+0x1934e8 @ 0x740f34e8
StrongNameSignatureVerification+0x9bcc GetMetaDataPublicInterfaceFromInternal-0x1c84 clr+0x193682 @ 0x740f3682
GetMetaDataPublicInterfaceFromInternal+0x641 CopyPDBs-0x2fb clr+0x195947 @ 0x740f5947
GetMetaDataPublicInterfaceFromInternal+0x850 CopyPDBs-0xec clr+0x195b56 @ 0x740f5b56
GetMetaDataPublicInterfaceFromInternal+0x23d CopyPDBs-0x6ff clr+0x195543 @ 0x740f5543
StrongNameSignatureVerification+0x839b GetMetaDataPublicInterfaceFromInternal-0x34b5 clr+0x191e51 @ 0x740f1e51
StrongNameSignatureVerification+0x854e GetMetaDataPublicInterfaceFromInternal-0x3302 clr+0x192004 @ 0x740f2004
mscorlib+0x355147 @ 0x72915147
mscorlib+0x985c14 @ 0x72f45c14
mscorlib+0x9b45cf @ 0x72f745cf
mscorlib+0xd224c1 @ 0x732e24c1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f79dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7405db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7405dc8f
mscorlib+0x2fce7e @ 0x728bce7e
mscorlib+0x2fcd8c @ 0x728bcd8c
mscorlib+0x2fcd0b @ 0x728bcd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74085713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740857d5
mscorlib+0x9bc1c8 @ 0x72f7c1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f89df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f89e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740318ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74031bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74183553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74138a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74084e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74084dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746a482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f62170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f62195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f621a6
CoUninitializeEE+0x9bdc CreateAssemblyNameObject-0x4079 clr+0x29420 @ 0x73f89420
GetPrivateContextsPerfCounters+0x10ed DllGetActivationFactoryImpl-0x13778 clr+0x8906f @ 0x73fe906f
mscorlib+0x2d866e @ 0x7289866e
mscorlib+0x2d85ca @ 0x728985ca
mscorlib+0x2d7e2a @ 0x72897e2a
mscorlib+0x2d79ea @ 0x728979ea
mscorlib+0x2d74ff @ 0x728974ff
mscorlib+0x2d71c3 @ 0x728971c3
mscorlib+0x2d6c3c @ 0x72896c3c
mscorlib+0x2fcfb1 @ 0x728bcfb1

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x778d6f08
registers.esp: 9939984
registers.edi: 258
registers.eax: 82142200
registers.ebp: 9940116
registers.edx: 3529506838
registers.ebx: 21
registers.esi: 82142208
registers.ecx: 81300488
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x778ce0d2
RtlEncodeSystemPointer+0x30 RtlFindClearBits-0x761 ntdll+0x3e088 @ 0x778de088
RtlSetBits+0xfe RtlFlsAlloc-0x75 ntdll+0x3e9ee @ 0x778de9ee
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x778dea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x778de94d
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x778dd69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x778dc4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7469d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x755a1d2a
GetMetaDataPublicInterfaceFromInternal+0x753 CopyPDBs-0x1e9 clr+0x195a59 @ 0x740f5a59
GetMetaDataPublicInterfaceFromInternal+0x850 CopyPDBs-0xec clr+0x195b56 @ 0x740f5b56
GetMetaDataPublicInterfaceFromInternal+0x23d CopyPDBs-0x6ff clr+0x195543 @ 0x740f5543
StrongNameSignatureVerification+0x839b GetMetaDataPublicInterfaceFromInternal-0x34b5 clr+0x191e51 @ 0x740f1e51
StrongNameSignatureVerification+0x854e GetMetaDataPublicInterfaceFromInternal-0x3302 clr+0x192004 @ 0x740f2004
mscorlib+0x355147 @ 0x72915147
mscorlib+0x985c14 @ 0x72f45c14
mscorlib+0x9b45cf @ 0x72f745cf
mscorlib+0xd224c1 @ 0x732e24c1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f79dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7405db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7405dc8f
mscorlib+0x2fce7e @ 0x728bce7e
mscorlib+0x2fcd8c @ 0x728bcd8c
mscorlib+0x2fcd0b @ 0x728bcd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74085713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740857d5
mscorlib+0x9bc1c8 @ 0x72f7c1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f89df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f89e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740318ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74031bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74183553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74138a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74084e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74084dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746a482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f62170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f62195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f621a6
CoUninitializeEE+0x9bdc CreateAssemblyNameObject-0x4079 clr+0x29420 @ 0x73f89420
GetPrivateContextsPerfCounters+0x10ed DllGetActivationFactoryImpl-0x13778 clr+0x8906f @ 0x73fe906f
mscorlib+0x2d866e @ 0x7289866e
mscorlib+0x2d85ca @ 0x728985ca
mscorlib+0x2d7e2a @ 0x72897e2a
mscorlib+0x2d79ea @ 0x728979ea
mscorlib+0x2d74ff @ 0x728974ff
mscorlib+0x2d71c3 @ 0x728971c3
mscorlib+0x2d6c3c @ 0x72896c3c
mscorlib+0x2fcfb1 @ 0x728bcfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f79dd2

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b f8 0b da 89
exception.symbol: RtlInitUnicodeString+0xec RtlMultiByteToUnicodeN-0x251 ntdll+0x2e2f4
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189172
exception.address: 0x778ce2f4
registers.esp: 9940208
registers.edi: 21
registers.eax: 82142200
registers.ebp: 9940340
registers.edx: 13924400
registers.ebx: 259
registers.esi: 82142208
registers.ecx: 81300488
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x778ce0d2
RtlEncodeSystemPointer+0x30 RtlFindClearBits-0x761 ntdll+0x3e088 @ 0x778de088
RtlSetBits+0xfe RtlFlsAlloc-0x75 ntdll+0x3e9ee @ 0x778de9ee
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x778dea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x778de94d
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x778dd69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x778dc4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7469d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x755a1d2a
GetMetaDataPublicInterfaceFromInternal+0x753 CopyPDBs-0x1e9 clr+0x195a59 @ 0x740f5a59
GetMetaDataPublicInterfaceFromInternal+0x850 CopyPDBs-0xec clr+0x195b56 @ 0x740f5b56
GetMetaDataPublicInterfaceFromInternal+0x23d CopyPDBs-0x6ff clr+0x195543 @ 0x740f5543
StrongNameSignatureVerification+0x839b GetMetaDataPublicInterfaceFromInternal-0x34b5 clr+0x191e51 @ 0x740f1e51
StrongNameSignatureVerification+0x854e GetMetaDataPublicInterfaceFromInternal-0x3302 clr+0x192004 @ 0x740f2004
mscorlib+0x355147 @ 0x72915147
mscorlib+0x985c14 @ 0x72f45c14
mscorlib+0x9b45cf @ 0x72f745cf
mscorlib+0xd224c1 @ 0x732e24c1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f79dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7405db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7405dc8f
mscorlib+0x2fce7e @ 0x728bce7e
mscorlib+0x2fcd8c @ 0x728bcd8c
mscorlib+0x2fcd0b @ 0x728bcd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x74085713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x740857d5
mscorlib+0x9bc1c8 @ 0x72f7c1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f89df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f89e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x740318ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x74031bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x74183553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x74138a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x74084e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x74084dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x778e6ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746a482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x778ce003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x73f62170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x73f62195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x73f621a6
CoUninitializeEE+0x9bdc CreateAssemblyNameObject-0x4079 clr+0x29420 @ 0x73f89420
GetPrivateContextsPerfCounters+0x10ed DllGetActivationFactoryImpl-0x13778 clr+0x8906f @ 0x73fe906f
mscorlib+0x2d866e @ 0x7289866e
mscorlib+0x2d85ca @ 0x728985ca
mscorlib+0x2d7e2a @ 0x72897e2a
mscorlib+0x2d79ea @ 0x728979ea
mscorlib+0x2d74ff @ 0x728974ff
mscorlib+0x2d71c3 @ 0x728971c3
mscorlib+0x2d6c3c @ 0x72896c3c
mscorlib+0x2fcfb1 @ 0x728bcfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f79dd2

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x778d6f08
registers.esp: 9940208
registers.edi: 259
registers.eax: 82142200
registers.ebp: 9940340
registers.edx: 3529506838
registers.ebx: 21
registers.esi: 82142208
registers.ecx: 81300488
1 0 0

__exception__

 stacktrace: 
0x50414b2
0x4a5e993
0x4a5c74f
0x4a5c1cd
0x4a5b2d1
0x4a59df1
0x4a51efa
0xecd0bb
0xec5497
0xec46f5
0xec42f0
system+0x205d05 @ 0x71e45d05
system+0x205cdf @ 0x71e45cdf
mscorlib+0x302367 @ 0x728c2367
mscorlib+0x3022a6 @ 0x728c22a6
mscorlib+0x302261 @ 0x728c2261
system+0x205c60 @ 0x71e45c60
system+0x205467 @ 0x71e45467
mscorlib+0x34bb1e @ 0x7290bb1e
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f79dd2
DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x740990ec
LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73fd7d4d
LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73fd7dbb
LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73fd7e88
DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73f6c3bf
DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x740991a8
DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x740991f1
GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x740d71e9
DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7407a0cf
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 bc 8b 45 bc 89 45 b8
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5041767
registers.esp: 88660324
registers.edi: 88660388
registers.eax: 0
registers.ebp: 88660400
registers.edx: 9478880
registers.ebx: 1090824891
registers.esi: 41323744
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x50414b2
0x4a5e993
0x4a5c74f
0x4a5c1cd
0x5f3cbde
0x5bbb77c
0x5bb9cb8
mscorlib+0x30c9ff @ 0x728cc9ff
mscorlib+0x302367 @ 0x728c2367
mscorlib+0x3022a6 @ 0x728c22a6
mscorlib+0x302261 @ 0x728c2261
mscorlib+0x30ca7c @ 0x728cca7c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95
DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x740007d8
LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73fd7d4d
LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73fd7dbb
LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73fd7e88
DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73f6c3bf
DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x74000694
DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7407a0cf
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 bc 8b 45 bc 89 45 b8
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5041767
registers.esp: 106096112
registers.edi: 106096176
registers.eax: 0
registers.ebp: 106096188
registers.edx: 88813752
registers.ebx: 1090824891
registers.esi: 46620848
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x74111194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x73fe2ba1
mscorlib+0x36dd51 @ 0x7292dd51
mscorlib+0x32fea6 @ 0x728efea6
mscorlib+0x30ab40 @ 0x728cab40
0x504f304
0x6025784
0x6024cbb
0x504845c
0x5042129
0x4a5c907
0x4a5c1cd
0x5f3cbde
0x5bbb77c
0x5bb9cb8
mscorlib+0x30c9ff @ 0x728cc9ff
mscorlib+0x302367 @ 0x728c2367
mscorlib+0x3022a6 @ 0x728c22a6
mscorlib+0x302261 @ 0x728c2261
mscorlib+0x30ca7c @ 0x728cca7c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95
DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x740007d8
LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73fd7d4d
LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73fd7dbb
LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73fd7e88
DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73f6c3bf
DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x74000694
DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7407a0cf
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 106095928
registers.edi: 0
registers.eax: 106095928
registers.ebp: 106096008
registers.edx: 0
registers.ebx: 8970440
registers.esi: 88813752
registers.ecx: 2481958557
1 0 0

__exception__

 stacktrace: 
0x50414b2
0x4a5e993
0x4a5c74f
0x4a5c1cd
0x4a5b2d1
0x4a59df1
0x4a51efa
0xecd0bb
0xec5497
0xec46f5
0xec42f0
system+0x205d05 @ 0x71e45d05
system+0x205cdf @ 0x71e45cdf
mscorlib+0x302367 @ 0x728c2367
mscorlib+0x3022a6 @ 0x728c22a6
mscorlib+0x302261 @ 0x728c2261
system+0x205c60 @ 0x71e45c60
system+0x205467 @ 0x71e45467
mscorlib+0x34bb1e @ 0x7290bb1e
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f79dd2
DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x740990ec
LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73fd7d4d
LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73fd7dbb
LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73fd7e88
DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73f6c3bf
DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x740991a8
DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x740991f1
GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x740d71e9
DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7407a0cf
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 bc 8b 45 bc 89 45 b8
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5041767
registers.esp: 169399316
registers.edi: 169399380
registers.eax: 0
registers.ebp: 169399392
registers.edx: 88872912
registers.ebx: 40175460
registers.esi: 41072512
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x74111194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x73fe2ba1
mscorlib+0x2f5a19 @ 0x728b5a19
mscorlib+0x30493b @ 0x728c493b
system+0x250836 @ 0x6cae0836
system+0x250707 @ 0x6cae0707
system+0x24e18d @ 0x6cade18d
system+0x24dea7 @ 0x6caddea7
0x504ee4b
0x504eb91
0x5969218
0x5969031
0x504d376
0x504bed5
0x5049811
0x5042129
0x4a5c907
0x4a5c1cd
0x4a5b2d1
0x4a59df1
0x4a51efa
0xecd0bb
0xec5497
0xec46f5
0xec42f0
system+0x205d05 @ 0x71e45d05
system+0x205cdf @ 0x71e45cdf
mscorlib+0x302367 @ 0x728c2367
mscorlib+0x3022a6 @ 0x728c22a6
mscorlib+0x302261 @ 0x728c2261
system+0x205c60 @ 0x71e45c60
system+0x205467 @ 0x71e45467
mscorlib+0x34bb1e @ 0x7290bb1e
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x73f79dd2
DllGetClassObjectInternal+0x74073 CorDllMainForThunk-0x18488 clr+0x1390ec @ 0x740990ec
LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73fd7d4d
LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73fd7dbb
LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73fd7e88
DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73f6c3bf
DllGetClassObjectInternal+0x7412f CorDllMainForThunk-0x183cc clr+0x1391a8 @ 0x740991a8
DllGetClassObjectInternal+0x74178 CorDllMainForThunk-0x18383 clr+0x1391f1 @ 0x740991f1
GetMetaDataInternalInterfaceFromPublic+0xab22 PreBindAssemblyEx-0x982 clr+0x1771e9 @ 0x740d71e9
DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7407a0cf
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 169396932
registers.edi: 0
registers.eax: 169396932
registers.ebp: 169397012
registers.edx: 0
registers.ebx: 88831008
registers.esi: 88872912
registers.ecx: 2678423821
1 0 0

__exception__

 stacktrace: 
0x50414b2
0x4a5e993
0x4a5c74f
0x4a5c1cd
0x5f3cbde
0x5bbb77c
0x5bb9cb8
mscorlib+0x30c9ff @ 0x728cc9ff
mscorlib+0x302367 @ 0x728c2367
mscorlib+0x3022a6 @ 0x728c22a6
mscorlib+0x302261 @ 0x728c2261
mscorlib+0x30ca7c @ 0x728cca7c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95
DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x740007d8
LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73fd7d4d
LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73fd7dbb
LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73fd7e88
DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73f6c3bf
DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x74000694
DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7407a0cf
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 bc 8b 45 bc 89 45 b8
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5041767
registers.esp: 134341696
registers.edi: 134341760
registers.eax: 0
registers.ebp: 134341772
registers.edx: 88951992
registers.ebx: 1090824891
registers.esi: 41161776
registers.ecx: 0
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00980000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1952
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1952
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f62000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02420000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02470000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a85000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a8b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a87000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02440000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02441000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02442000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02443000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02444000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02445000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02446000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02460000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a1a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a7a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a77000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a76000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a1c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02461000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009b1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009b8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009b9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009bd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009ce000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009cf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02462000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02447000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ckpaelocniggkheibcacecnmmlmeodfa
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file C:\ProgramData\GoogleDriveAdvodrs\jquery.js
file C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll
file C:\ProgramData\GoogleDriveAdvodrs\background.js
file C:\ProgramData\GoogleDriveAdvodrs\content.js
file C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2672
thread_handle: 0x00000468
process_identifier: 2668
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "taskkill.exe" /im chrome.exe /f
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000478
1 1 0
ESET-NOD32 a variant of MSIL/Kryptik.AKDO
APEX Malicious
Ikarus Trojan-Spy.Win32.Agent
Fortinet MSIL/Kryptik.AKAG!tr
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 1158
family: 0
1 0 0
section {u'size_of_data': u'0x00601e00', u'virtual_address': u'0x00002000', u'entropy': 7.445412338176349, u'name': u'.text', u'virtual_size': u'0x00601c14'} entropy 7.44541233818 description A section with a high entropy has been found
entropy 0.989862418537 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x00000404
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: 7-Zip
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
1 0 0

RegOpenKeyExW

 regkey_r: AddressBook
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: Adobe AIR
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
1 0 0

RegOpenKeyExW

 regkey_r: Connection Manager
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: DirectDrawEx
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: EditPlus
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: Fontcore
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: Google Chrome
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: Haansoft HWord 80 Korean
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: IE40
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: IE4Data
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: IE5BAKEX
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: IEData
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: MobileOptionPack
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko)
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)
1 0 0

RegOpenKeyExW

 regkey_r: Office15.PROPLUSR
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR
1 0 0

RegOpenKeyExW

 regkey_r: SchedulingAgent
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: WIC
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}
1 0 0

RegOpenKeyExW

 regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}
1 0 0

RegOpenKeyExW

 regkey_r: {4A03706F-666A-4037-7777-5F2748764D10}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
1 0 0

RegOpenKeyExW

 regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0015-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0016-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0018-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0019-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001A-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001B-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001F-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001F-040C-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-002C-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0044-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-006E-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0090-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00A1-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00BA-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00E1-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00E2-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0115-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0117-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-012B-0409-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {91150000-0011-0000-0000-0000000FF1CE}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}
1 0 0

RegOpenKeyExW

 regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}
1 0 0

RegOpenKeyExW

 regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
1 0 0

RegOpenKeyExW

 regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561}
base_handle: 0x00000404
key_handle: 0x000003fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}
1 0 0
cmdline "taskkill.exe" /im chrome.exe /f
wmi SELECT * FROM Win32_Processor
host 138.201.120.172
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2428
region_size: 860160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002b0
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description RegAsm.exe tried to sleep 5456602 seconds, actually delayed analysis time by 5456602 seconds
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
wmi SELECT * FROM Win32_VideoController
wmi SELECT * FROM AntivirusProduct
wmi SELECT * FROM Win32_OperatingSystem
wmi SELECT * FROM Win32_Process Where SessionId='1'
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
wmi SELECT * FROM AntiSpyWareProduct
wmi SELECT * FROM FirewallProduct
wmi SELECT * FROM Win32_DiskDrive
wmi SELECT * FROM Win32_Processor
wmi SELECT Caption FROM Win32_OperatingSystem
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELv\eà ° >Ï @  ðÎ Kà   H.textD¯ °  `.rsrcà ² @@.reloc ¸ @B
base_address: 0x00400000
process_identifier: 2428
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€ à Ôtã êÔ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.08 InternalNamebladfin.exe&LegalCopyright*LegalTrademarks@ OriginalFilenamebladfin.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x004ce000
process_identifier: 2428
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer: À @?
base_address: 0x004d0000
process_identifier: 2428
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2428
process_handle: 0x000002b0
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELv\eà ° >Ï @  ðÎ Kà   H.textD¯ °  `.rsrcà ² @@.reloc ¸ @B
base_address: 0x00400000
process_identifier: 2428
process_handle: 0x000002b0
1 1 0
Time & API Arguments Status Return Repeated

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java Auto Updater
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Excel MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft PowerPoint MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Publisher MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Outlook MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Word MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - English
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Outils de vérification linguistique 2013 de Microsoft Office - Français
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - Español
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft InfoPath MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft DCF MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft OneNote MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Groove MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM UX MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Lync MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Acrobat Reader DC MUI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000484
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000484
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000484
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000484
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000484
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000484
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000484
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000484
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000484
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000484
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000484
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000484
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java Auto Updater
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
1 0 0
Process injection Process 1952 called NtSetContextThread to modify thread in remote process 2428
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 3668272
registers.edi: 0
registers.eax: 5033790
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002ac
process_identifier: 2428
1 0 0
Process injection Process 1952 resumed a thread in remote process 2428
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002ac
suspend_count: 1
process_identifier: 2428
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1952
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 1952
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 1952
1 0 0

NtResumeThread

 thread_handle: 0x0000023c
suspend_count: 1
process_identifier: 1952
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 1952
1 0 0

CreateProcessInternalW

 thread_identifier: 2432
thread_handle: 0x000002ac
process_identifier: 2428
current_directory:
filepath:
track: 1
command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
filepath_r:
stack_pivoted: 0
creation_flags: 564 (CREATE_NEW_CONSOLE|CREATE_NEW_PROCESS_GROUP|CREATE_SUSPENDED|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x000002b0
1 1 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 1999372288
process_identifier: 2428
process_handle: 0x000002b0
3221225497 0

NtAllocateVirtualMemory

 process_identifier: 2428
region_size: 860160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002b0
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELv\eà ° >Ï @  ðÎ Kà   H.textD¯ °  `.rsrcà ² @@.reloc ¸ @B
base_address: 0x00400000
process_identifier: 2428
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00402000
process_identifier: 2428
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€ à Ôtã êÔ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.08 InternalNamebladfin.exe&LegalCopyright*LegalTrademarks@ OriginalFilenamebladfin.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x004ce000
process_identifier: 2428
process_handle: 0x000002b0
1 1 0

WriteProcessMemory

 buffer: À @?
base_address: 0x004d0000
process_identifier: 2428
process_handle: 0x000002b0
1 1 0

NtGetContextThread

 thread_handle: 0x000002ac
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2428
process_handle: 0x000002b0
1 1 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 3668272
registers.edi: 0
registers.eax: 5033790
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002ac
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x000002ac
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x0000017c
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x000001ec
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x00000230
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x000002f4
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x00000308
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x000003f4
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x00000324
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x00000278
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x00000448
suspend_count: 1
process_identifier: 2428
1 0 0

CreateProcessInternalW

 thread_identifier: 2672
thread_handle: 0x00000468
process_identifier: 2668
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "taskkill.exe" /im chrome.exe /f
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000478
1 1 0

NtResumeThread

 thread_handle: 0x00000278
suspend_count: 1
process_identifier: 2428
1 0 0

NtGetContextThread

 thread_handle: 0x00000448
1 0 0

NtGetContextThread

 thread_handle: 0x00000448
1 0 0

NtGetContextThread

 thread_handle: 0x00000448
1 0 0

NtSetContextThread

 registers.eip: 1946037124
registers.esp: 106096136
registers.edi: 61685760
registers.eax: 93192704
registers.ebp: 106096176
registers.edx: 67
registers.ebx: 0
registers.esi: 67
registers.ecx: 40519092
thread_handle: 0x00000448
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x00000448
suspend_count: 1
process_identifier: 2428
1 0 0

NtGetContextThread

 thread_handle: 0x00000448
1 0 0

NtGetContextThread

 thread_handle: 0x00000448
1 0 0

NtResumeThread

 thread_handle: 0x00000448
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x00000420
suspend_count: 1
process_identifier: 2428
1 0 0

NtGetContextThread

 thread_handle: 0x00000420
1 0 0

NtGetContextThread

 thread_handle: 0x00000420
1 0 0

NtGetContextThread

 thread_handle: 0x00000420
1 0 0

NtSetContextThread

 registers.eip: 1946037124
registers.esp: 169397140
registers.edi: 43491132
registers.eax: 27
registers.ebp: 169397176
registers.edx: 43490972
registers.ebx: 43568132
registers.esi: 43448472
registers.ecx: 37
thread_handle: 0x00000420
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x00000420
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x00000438
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x00000478
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x000003a0
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x0000048c
suspend_count: 1
process_identifier: 2428
1 0 0

NtResumeThread

 thread_handle: 0x00000214
suspend_count: 1
process_identifier: 2428
1 0 0