popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

hv.exe

.NET framework(MSIL) Malicious Library Admin Tool (Sysinternals etc ...) UPX Malicious Packer PWS AntiDebug PE File DLL OS Processor Check PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 27, 2024, 10:09 a.m. June 27, 2024, 10:26 a.m.
Size 5.4MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 6a1db4f73db4ed058c8cd7e04dfa7cc3
SHA256 0a5355f8e8a6665e7da928c50309b811b88f011d763d0ab5057a8b969992f5ec
CRC32 BBC70272
ssdeep 49152:gzlsiRwPVALodv5ezAayuESxLZfsUyRRBIH2yHnJh4r5Nvo6X29ke0UzMPy7lyE4:gzlsiRtDdnu42yHQDv5o0IKDTNVn
PDB Path libraryapp_for_translators_and_linguists.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
pastebin.com
A 172.67.19.24
A 104.20.4.235
A 104.20.3.235
172.67.19.24
IP Address Status Action
104.20.3.235 Active Moloch
164.124.101.2 Active Moloch
194.26.29.153 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49168 -> 104.20.3.235:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.101:49168
104.20.3.235:443 		C=US, O=Google Trust Services, CN=WE1 CN=pastebin.com 82:49:c5:04:9a:bd:a9:c1:ab:4d:ff:95:b9:94:74:cc:40:bc:09:7f

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0034b8e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0034b8e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0034b9a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059b268
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059b268
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059b128
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path libraryapp_for_translators_and_linguists.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x8947fe
mscorlib+0x2d5861 @ 0x71ab5861
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x357ee CorDllMainForThunk-0x56d0d clr+0xfa867 @ 0x7289a867
DllGetClassObjectInternal+0x358c6 CorDllMainForThunk-0x56c35 clr+0xfa93f @ 0x7289a93f
PreBindAssemblyEx+0x107ff StrongNameSignatureVerification-0x174c clr+0x18836a @ 0x7292836a
CreateHistoryReader+0x48031 PostErrorVA-0x120f2e clr+0x257876 @ 0x729f7876
CreateAssemblyNameObject+0x27e00 GetMetaDataInternalInterface-0x1066f clr+0x55299 @ 0x727f5299
CreateAssemblyNameObject+0x27c6a GetMetaDataInternalInterface-0x10805 clr+0x55103 @ 0x727f5103
CreateAssemblyNameObject+0x27e4b GetMetaDataInternalInterface-0x10624 clr+0x552e4 @ 0x727f52e4
CoUninitializeEE+0x9986 CreateAssemblyNameObject-0x42cf clr+0x291ca @ 0x727c91ca
CoUninitializeEE+0x1270 CreateAssemblyNameObject-0xc9e5 clr+0x20ab4 @ 0x727c0ab4
CoUninitializeEE+0x79c6 CreateAssemblyNameObject-0x628f clr+0x2720a @ 0x727c720a
LogHelp_TerminateOnAssert+0x13555 GetPrivateContextsPerfCounters-0x5eed clr+0x82095 @ 0x72822095
mscorlib+0x38ab46 @ 0x71b6ab46
mscorlib+0x304ce0 @ 0x71ae4ce0
mscorlib+0x304c20 @ 0x71ae4c20
mscorlib+0x333905 @ 0x71b13905
0x8910b1
0x89586e
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x727c9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x727c9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x727c9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x727c9fa2
CoUninitializeEE+0xa85a CreateAssemblyNameObject-0x33fb clr+0x2a09e @ 0x727ca09e
CoUninitializeEE+0xa8be CreateAssemblyNameObject-0x3397 clr+0x2a102 @ 0x727ca102
mscorlib+0x2d5861 @ 0x71ab5861
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x357ee CorDllMainForThunk-0x56d0d clr+0xfa867 @ 0x7289a867
DllGetClassObjectInternal+0x358c6 CorDllMainForThunk-0x56c35 clr+0xfa93f @ 0x7289a93f
PreBindAssemblyEx+0x107ff StrongNameSignatureVerification-0x174c clr+0x18836a @ 0x7292836a
PreBindAssemblyEx+0x10899 StrongNameSignatureVerification-0x16b2 clr+0x188404 @ 0x72928404
CreateAssemblyNameObject+0x28676 GetMetaDataInternalInterface-0xfdf9 clr+0x55b0f @ 0x727f5b0f
GetPrivateContextsPerfCounters+0x13ac DllGetActivationFactoryImpl-0x134b9 clr+0x8932e @ 0x7282932e
mscorlib+0x2d5eb7 @ 0x71ab5eb7
mscorlib+0x2d5c33 @ 0x71ab5c33
mscorlib+0x2d7894 @ 0x71ab7894
mscorlib+0x2d74ff @ 0x71ab74ff
mscorlib+0x2d71c3 @ 0x71ab71c3
mscorlib+0x2d48ea @ 0x71ab48ea
mscorlib+0x36990b @ 0x71b4990b
0x893f11
0x893dd6
0x8939d4
0x8920fb
0x891f84
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3

exception.instruction_r: 8b 41 0c 8b 49 04 ff d0 89 45 f4 8b 45 f4 8b e5
exception.instruction: mov eax, dword ptr [ecx + 0xc]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8958bc
registers.esp: 3119568
registers.edi: 3119968
registers.eax: 5410456
registers.ebp: 3119580
registers.edx: 41926964
registers.ebx: 41920420
registers.esi: 41685784
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x8947fe
mscorlib+0x2d5861 @ 0x71ab5861
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x357ee CorDllMainForThunk-0x56d0d clr+0xfa867 @ 0x7289a867
DllGetClassObjectInternal+0x358c6 CorDllMainForThunk-0x56c35 clr+0xfa93f @ 0x7289a93f
PreBindAssemblyEx+0x107ff StrongNameSignatureVerification-0x174c clr+0x18836a @ 0x7292836a
PreBindAssemblyEx+0x10899 StrongNameSignatureVerification-0x16b2 clr+0x188404 @ 0x72928404
CreateAssemblyNameObject+0x28676 GetMetaDataInternalInterface-0xfdf9 clr+0x55b0f @ 0x727f5b0f
GetPrivateContextsPerfCounters+0x13ac DllGetActivationFactoryImpl-0x134b9 clr+0x8932e @ 0x7282932e
mscorlib+0x2d5eb7 @ 0x71ab5eb7
mscorlib+0x2d5c33 @ 0x71ab5c33
mscorlib+0x2d7894 @ 0x71ab7894
mscorlib+0x2d74ff @ 0x71ab74ff
mscorlib+0x2d71c3 @ 0x71ab71c3
mscorlib+0x2d48ea @ 0x71ab48ea
mscorlib+0x36990b @ 0x71b4990b
0x893f11
0x893dd6
0x8939d4
0x8920fb
0x891f84
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 41 0c 8b 49 04 ff d0 89 45 f4 8b 45 f4 8b e5
exception.instruction: mov eax, dword ptr [ecx + 0xc]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8958bc
registers.esp: 3133552
registers.edi: 3133952
registers.eax: 5410456
registers.ebp: 3133564
registers.edx: 41919476
registers.ebx: 41842660
registers.esi: 41685784
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x8947fe
mscorlib+0x2d5861 @ 0x71ab5861
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x357ee CorDllMainForThunk-0x56d0d clr+0xfa867 @ 0x7289a867
DllGetClassObjectInternal+0x358c6 CorDllMainForThunk-0x56c35 clr+0xfa93f @ 0x7289a93f
PreBindAssemblyEx+0x107ff StrongNameSignatureVerification-0x174c clr+0x18836a @ 0x7292836a
PreBindAssemblyEx+0x108ef StrongNameSignatureVerification-0x165c clr+0x18845a @ 0x7292845a
CreateAssemblyNameObject+0x28676 GetMetaDataInternalInterface-0xfdf9 clr+0x55b0f @ 0x727f5b0f
GetPrivateContextsPerfCounters+0x13ac DllGetActivationFactoryImpl-0x134b9 clr+0x8932e @ 0x7282932e
mscorlib+0x2d5eb7 @ 0x71ab5eb7
mscorlib+0x2d5c33 @ 0x71ab5c33
mscorlib+0x2d7894 @ 0x71ab7894
mscorlib+0x2d74ff @ 0x71ab74ff
mscorlib+0x2d71c3 @ 0x71ab71c3
mscorlib+0x2d48ea @ 0x71ab48ea
mscorlib+0x36990b @ 0x71b4990b
0x893f11
0x893dd6
0x8939d4
0x8920fb
0x891f84
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 41 0c 8b 49 04 ff d0 89 45 f4 8b 45 f4 8b e5
exception.instruction: mov eax, dword ptr [ecx + 0xc]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8958bc
registers.esp: 3133552
registers.edi: 3133952
registers.eax: 5410456
registers.ebp: 3133564
registers.edx: 41957072
registers.ebx: 41949208
registers.esi: 41685784
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x8947fe
mscorlib+0x2d5861 @ 0x71ab5861
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x357ee CorDllMainForThunk-0x56d0d clr+0xfa867 @ 0x7289a867
DllGetClassObjectInternal+0x358c6 CorDllMainForThunk-0x56c35 clr+0xfa93f @ 0x7289a93f
PreBindAssemblyEx+0x107ff StrongNameSignatureVerification-0x174c clr+0x18836a @ 0x7292836a
PreBindAssemblyEx+0x10899 StrongNameSignatureVerification-0x16b2 clr+0x188404 @ 0x72928404
CreateAssemblyNameObject+0x28676 GetMetaDataInternalInterface-0xfdf9 clr+0x55b0f @ 0x727f5b0f
GetPrivateContextsPerfCounters+0x13ac DllGetActivationFactoryImpl-0x134b9 clr+0x8932e @ 0x7282932e
mscorlib+0x2d5eb7 @ 0x71ab5eb7
mscorlib+0x2d5c33 @ 0x71ab5c33
mscorlib+0x2d7894 @ 0x71ab7894
mscorlib+0x2d74ff @ 0x71ab74ff
mscorlib+0x2d71c3 @ 0x71ab71c3
mscorlib+0x2d48ea @ 0x71ab48ea
mscorlib+0x36990b @ 0x71b4990b
0x893f11
0x893dd6
0x8939d4
0x8920fb
0x891f84
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 41 0c 8b 49 04 ff d0 89 45 f4 8b 45 f4 8b e5
exception.instruction: mov eax, dword ptr [ecx + 0xc]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8958bc
registers.esp: 3133552
registers.edi: 3133952
registers.eax: 5410456
registers.ebp: 3133564
registers.edx: 41966496
registers.ebx: 41958664
registers.esi: 41685784
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x8947fe
mscorlib+0x2d5861 @ 0x71ab5861
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x357ee CorDllMainForThunk-0x56d0d clr+0xfa867 @ 0x7289a867
DllGetClassObjectInternal+0x358c6 CorDllMainForThunk-0x56c35 clr+0xfa93f @ 0x7289a93f
PreBindAssemblyEx+0x107ff StrongNameSignatureVerification-0x174c clr+0x18836a @ 0x7292836a
PreBindAssemblyEx+0x108ef StrongNameSignatureVerification-0x165c clr+0x18845a @ 0x7292845a
CreateAssemblyNameObject+0x28676 GetMetaDataInternalInterface-0xfdf9 clr+0x55b0f @ 0x727f5b0f
GetPrivateContextsPerfCounters+0x13ac DllGetActivationFactoryImpl-0x134b9 clr+0x8932e @ 0x7282932e
mscorlib+0x2d5eb7 @ 0x71ab5eb7
mscorlib+0x2d5c33 @ 0x71ab5c33
mscorlib+0x2d7894 @ 0x71ab7894
mscorlib+0x2d74ff @ 0x71ab74ff
mscorlib+0x2d71c3 @ 0x71ab71c3
mscorlib+0x2d48ea @ 0x71ab48ea
mscorlib+0x36990b @ 0x71b4990b
0x893f11
0x893dd6
0x8939d4
0x8920fb
0x891f84
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 41 0c 8b 49 04 ff d0 89 45 f4 8b 45 f4 8b e5
exception.instruction: mov eax, dword ptr [ecx + 0xc]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8958bc
registers.esp: 3133552
registers.edi: 3133952
registers.eax: 5410456
registers.ebp: 3133564
registers.edx: 41974912
registers.ebx: 41967080
registers.esi: 41685784
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x8947fe
mscorlib+0x2d5861 @ 0x71ab5861
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x357ee CorDllMainForThunk-0x56d0d clr+0xfa867 @ 0x7289a867
DllGetClassObjectInternal+0x358c6 CorDllMainForThunk-0x56c35 clr+0xfa93f @ 0x7289a93f
PreBindAssemblyEx+0x107ff StrongNameSignatureVerification-0x174c clr+0x18836a @ 0x7292836a
CreateHistoryReader+0x48031 PostErrorVA-0x120f2e clr+0x257876 @ 0x729f7876
CreateAssemblyNameObject+0x27e00 GetMetaDataInternalInterface-0x1066f clr+0x55299 @ 0x727f5299
CreateAssemblyNameObject+0x27c6a GetMetaDataInternalInterface-0x10805 clr+0x55103 @ 0x727f5103
CreateAssemblyNameObject+0x27e4b GetMetaDataInternalInterface-0x10624 clr+0x552e4 @ 0x727f52e4
CoUninitializeEE+0x9986 CreateAssemblyNameObject-0x42cf clr+0x291ca @ 0x727c91ca
CoUninitializeEE+0x1270 CreateAssemblyNameObject-0xc9e5 clr+0x20ab4 @ 0x727c0ab4
CoUninitializeEE+0x79c6 CreateAssemblyNameObject-0x628f clr+0x2720a @ 0x727c720a
LogHelp_TerminateOnAssert+0x13555 GetPrivateContextsPerfCounters-0x5eed clr+0x82095 @ 0x72822095
mscorlib+0x38ab46 @ 0x71b6ab46
mscorlib+0x304ce0 @ 0x71ae4ce0
mscorlib+0x304c20 @ 0x71ae4c20
mscorlib+0x333905 @ 0x71b13905
0x8910b1
0x89c936
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x727c9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x727c9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x727c9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x727c9fa2
CoUninitializeEE+0xa85a CreateAssemblyNameObject-0x33fb clr+0x2a09e @ 0x727ca09e
CoUninitializeEE+0xa8be CreateAssemblyNameObject-0x3397 clr+0x2a102 @ 0x727ca102
0x8939fe
0x8920fb
0x891f84
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 41 0c 8b 49 04 ff d0 89 45 f4 8b 45 f4 8b e5
exception.instruction: mov eax, dword ptr [ecx + 0xc]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8958bc
registers.esp: 3126640
registers.edi: 3127040
registers.eax: 5410456
registers.ebp: 3126652
registers.edx: 42429260
registers.ebx: 42421344
registers.esi: 41685784
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x727a2170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x727a2195
DllUnregisterServerInternal-0x7ed4 clr+0x2220 @ 0x727a2220
CoUninitializeEE+0xc8ea CreateAssemblyNameObject-0x136b clr+0x2c12e @ 0x727cc12e
CoUninitializeEE+0xc5a6 CreateAssemblyNameObject-0x16af clr+0x2bdea @ 0x727cbdea
CreateAssemblyNameObject+0xa346 GetMetaDataInternalInterface-0x2e129 clr+0x377df @ 0x727d77df
CoUninitializeEE+0xc5a6 CreateAssemblyNameObject-0x16af clr+0x2bdea @ 0x727cbdea
CreateAssemblyNameObject+0x1357d GetMetaDataInternalInterface-0x24ef2 clr+0x40a16 @ 0x727e0a16
CreateAssemblyNameObject+0x1307c GetMetaDataInternalInterface-0x253f3 clr+0x40515 @ 0x727e0515
CreateAssemblyNameObject+0x1185 GetMetaDataInternalInterface-0x372ea clr+0x2e61e @ 0x727ce61e
CreateAssemblyNameObject+0x11c3 GetMetaDataInternalInterface-0x372ac clr+0x2e65c @ 0x727ce65c
CoUninitializeEE+0x2059 CreateAssemblyNameObject-0xbbfc clr+0x2189d @ 0x727c189d
CoUninitializeEE+0x1dbf CreateAssemblyNameObject-0xbe96 clr+0x21603 @ 0x727c1603
CoUninitializeEE+0x3144 CreateAssemblyNameObject-0xab11 clr+0x22988 @ 0x727c2988
DllGetClassObjectInternal+0x27508 CorDllMainForThunk-0x64ff3 clr+0xec581 @ 0x7288c581
CreateAssemblyNameObject+0x9508 GetMetaDataInternalInterface-0x2ef67 clr+0x369a1 @ 0x727d69a1
sxsJitStartup-0x537c5 clrjit+0x10cf @ 0x73bc10cf
sxsJitStartup-0x52b00 clrjit+0x1d94 @ 0x73bc1d94
sxsJitStartup-0x52e34 clrjit+0x1a60 @ 0x73bc1a60
sxsJitStartup-0x52c52 clrjit+0x1c42 @ 0x73bc1c42
sxsJitStartup-0x52447 clrjit+0x244d @ 0x73bc244d
sxsJitStartup-0x50878 clrjit+0x401c @ 0x73bc401c
sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73bc4132
sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73bc4282
sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73bc4595
CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x727d3669
CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x727d3701
CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x727d3743
CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x727d399c
CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x727d3496
CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x727d40db
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x727bbcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x727a2ae9
0x8920a3
0x891f84
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 89 30 8b 45 e0 8b 55 e4 8d 7e 08 f0 0f c7 0f 3b
exception.symbol: RtlInitUnicodeString+0x1f3 RtlMultiByteToUnicodeN-0x14a ntdll+0x2e3fb
exception.instruction: mov dword ptr [eax], esi
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189435
exception.address: 0x76f3e3fb
registers.esp: 3135352
registers.edi: 208666624
registers.eax: 29302272
registers.ebp: 3135404
registers.edx: 12544
registers.ebx: 208667185
registers.esi: 1910776183
registers.ecx: 822085608
1 0 0

__exception__

 stacktrace: 
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x76f3e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
DllUnregisterServerInternal-0x7f84 clr+0x2170 @ 0x727a2170
DllUnregisterServerInternal-0x7f5f clr+0x2195 @ 0x727a2195
DllUnregisterServerInternal-0x7ed4 clr+0x2220 @ 0x727a2220
CoUninitializeEE+0x2322 CreateAssemblyNameObject-0xb933 clr+0x21b66 @ 0x727c1b66
CreateHistoryReader+0x50eff PostErrorVA-0x118060 clr+0x260744 @ 0x72a00744
CoUninitializeEE+0x1dbf CreateAssemblyNameObject-0xbe96 clr+0x21603 @ 0x727c1603
CoUninitializeEE+0x3144 CreateAssemblyNameObject-0xab11 clr+0x22988 @ 0x727c2988
DllGetClassObjectInternal+0x27508 CorDllMainForThunk-0x64ff3 clr+0xec581 @ 0x7288c581
CreateAssemblyNameObject+0x9508 GetMetaDataInternalInterface-0x2ef67 clr+0x369a1 @ 0x727d69a1
sxsJitStartup-0x537c5 clrjit+0x10cf @ 0x73bc10cf
sxsJitStartup-0x52b00 clrjit+0x1d94 @ 0x73bc1d94
sxsJitStartup-0x52e34 clrjit+0x1a60 @ 0x73bc1a60
sxsJitStartup-0x52c52 clrjit+0x1c42 @ 0x73bc1c42
sxsJitStartup-0x52447 clrjit+0x244d @ 0x73bc244d
sxsJitStartup-0x50878 clrjit+0x401c @ 0x73bc401c
sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73bc4132
sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73bc4282
sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73bc4595
CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x727d3669
CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x727d3701
CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x727d3743
CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x727d399c
CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x727d3496
CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x727d40db
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x727bbcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x727a2ae9
0x8920a3
0x891f84
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 89 30 8b 45 e0 8b 55 e4 8d 7e 08 f0 0f c7 0f 3b
exception.symbol: RtlInitUnicodeString+0x1f3 RtlMultiByteToUnicodeN-0x14a ntdll+0x2e3fb
exception.instruction: mov dword ptr [eax], esi
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189435
exception.address: 0x76f3e3fb
registers.esp: 3132824
registers.edi: 1833697280
registers.eax: 175903008
registers.ebp: 3132876
registers.edx: 2692
registers.ebx: 1833701668
registers.esi: 1910135054
registers.ecx: 176431038
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2
RtlEncodeSystemPointer+0x30 RtlFindClearBits-0x761 ntdll+0x3e088 @ 0x76f4e088
RtlEncodeSystemPointer+0x411 RtlFindClearBits-0x380 ntdll+0x3e469 @ 0x76f4e469
RtlEncodeSystemPointer+0x4ea RtlFindClearBits-0x2a7 ntdll+0x3e542 @ 0x76f4e542
LdrResFindResourceDirectory+0x51d RtlEncodeSystemPointer-0x126 ntdll+0x3df32 @ 0x76f4df32
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x75981d7a
DllGetClassObjectInternal+0x53eae CorDllMainForThunk-0x3864d clr+0x118f27 @ 0x728b8f27
CopyPDBs+0x4ee4 DllCanUnloadNowInternal-0x3c0f3 clr+0x19ab26 @ 0x7293ab26
DllGetClassObjectInternal+0x35b9f CorDllMainForThunk-0x5695c clr+0xfac18 @ 0x7289ac18
CreateHistoryReader+0x601ad PostErrorVA-0x108db2 clr+0x26f9f2 @ 0x72a0f9f2
CreateHistoryReader+0x5ef45 PostErrorVA-0x10a01a clr+0x26e78a @ 0x72a0e78a
CreateHistoryReader+0x5fe22 PostErrorVA-0x10913d clr+0x26f667 @ 0x72a0f667
CreateHistoryReader+0x60ecc PostErrorVA-0x108093 clr+0x270711 @ 0x72a10711
CreateHistoryReader+0x14646 PostErrorVA-0x154919 clr+0x223e8b @ 0x729c3e8b
CreateHistoryReader+0x14979 PostErrorVA-0x1545e6 clr+0x2241be @ 0x729c41be
CreateHistoryReader+0x12263 PostErrorVA-0x156cfc clr+0x221aa8 @ 0x729c1aa8
CreateHistoryReader+0x124d0 PostErrorVA-0x156a8f clr+0x221d15 @ 0x729c1d15
_CorDllMain+0x155 _CorExeMain2-0x277 clr+0x1dbf68 @ 0x7297bf68
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b f8 0b da 89
exception.symbol: RtlInitUnicodeString+0xec RtlMultiByteToUnicodeN-0x251 ntdll+0x2e2f4
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189172
exception.address: 0x76f3e2f4
registers.esp: 3128000
registers.edi: 27
registers.eax: 4348480
registers.ebp: 3128132
registers.edx: 3372888
registers.ebx: 1869833610
registers.esi: 4348488
registers.ecx: 4094432
1 0 0

__exception__

 stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x76f3e0d2
RtlEncodeSystemPointer+0x30 RtlFindClearBits-0x761 ntdll+0x3e088 @ 0x76f4e088
RtlEncodeSystemPointer+0x411 RtlFindClearBits-0x380 ntdll+0x3e469 @ 0x76f4e469
RtlEncodeSystemPointer+0x4ea RtlFindClearBits-0x2a7 ntdll+0x3e542 @ 0x76f4e542
LdrResFindResourceDirectory+0x51d RtlEncodeSystemPointer-0x126 ntdll+0x3df32 @ 0x76f4df32
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x75981d7a
DllGetClassObjectInternal+0x53eae CorDllMainForThunk-0x3864d clr+0x118f27 @ 0x728b8f27
CopyPDBs+0x4ee4 DllCanUnloadNowInternal-0x3c0f3 clr+0x19ab26 @ 0x7293ab26
DllGetClassObjectInternal+0x35b9f CorDllMainForThunk-0x5695c clr+0xfac18 @ 0x7289ac18
CreateHistoryReader+0x601ad PostErrorVA-0x108db2 clr+0x26f9f2 @ 0x72a0f9f2
CreateHistoryReader+0x5ef45 PostErrorVA-0x10a01a clr+0x26e78a @ 0x72a0e78a
CreateHistoryReader+0x5fe22 PostErrorVA-0x10913d clr+0x26f667 @ 0x72a0f667
CreateHistoryReader+0x60ecc PostErrorVA-0x108093 clr+0x270711 @ 0x72a10711
CreateHistoryReader+0x14646 PostErrorVA-0x154919 clr+0x223e8b @ 0x729c3e8b
CreateHistoryReader+0x14979 PostErrorVA-0x1545e6 clr+0x2241be @ 0x729c41be
CreateHistoryReader+0x12263 PostErrorVA-0x156cfc clr+0x221aa8 @ 0x729c1aa8
CreateHistoryReader+0x124d0 PostErrorVA-0x156a8f clr+0x221d15 @ 0x729c1d15
_CorDllMain+0x155 _CorExeMain2-0x277 clr+0x1dbf68 @ 0x7297bf68
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x76f46f08
registers.esp: 3128000
registers.edi: 1869833610
registers.eax: 4348480
registers.ebp: 3128132
registers.edx: 1014497308
registers.ebx: 27
registers.esi: 4348488
registers.ecx: 4094432
1 0 0

__exception__

 stacktrace: 
0xb0d191
0xb0d031
0xb03ab9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 d0 8b 45 f4 83 c0 a9 8b 15 a0 38
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb0d1f8
registers.esp: 2289348
registers.edi: 2289404
registers.eax: 0
registers.ebp: 2289420
registers.edx: 0
registers.ebx: 2289772
registers.esi: 0
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xb0d191
0xb0d031
0xb03ab9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73faf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 40 04 89 45 d0 8b 45 f4 83 c0 a9 8b 15 a0 38
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb0d1f8
registers.esp: 2289348
registers.edi: 2289404
registers.eax: 0
registers.ebp: 2289420
registers.edx: 0
registers.ebx: 2289772
registers.esi: 0
registers.ecx: 0
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET https://pastebin.com/raw/A54sKxhY
request GET https://pastebin.com/raw/A54sKxhY
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008c0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00600000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00512000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00890000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00547000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00545000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0051a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00891000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0096f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00960000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00892000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00893000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00894000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00895000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00896000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00536000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00537000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0089c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0089d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a41000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a43000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a45000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a46000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a47000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a48000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a49000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a4d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a5e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0051c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0089e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a5f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a61000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a62000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0089f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00940000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00941000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00942000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00943000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a63000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a64000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll
file C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x0053e600', u'virtual_address': u'0x00002000', u'entropy': 7.306270823947691, u'name': u'.text', u'virtual_size': u'0x0053e4e4'} entropy 7.30627082395 description A section with a high entropy has been found
entropy 0.972031136857 description Overall entropy of this PE file is high
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
buffer Buffer with sha1: 2441a44b06509975255deafbaa7fd57a83a0bd41
buffer Buffer with sha1: 7bdb3b023c9687e56ad7accb20f6d51089146a1a
host 194.26.29.153
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2844
region_size: 868352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002d4
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¥×šeà Æ Žå @ @ 4å W   H.text”Å Æ  `.rsrc È @@.reloc Î @B
base_address: 0x00400000
process_identifier: 2844
process_handle: 0x000002d4
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€  Ôt êÔ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.08 InternalNamebladfin.exe&LegalCopyright*LegalTrademarks@ OriginalFilenamebladfin.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x004d0000
process_identifier: 2844
process_handle: 0x000002d4
1 1 0

WriteProcessMemory

 buffer: à 5
base_address: 0x004d2000
process_identifier: 2844
process_handle: 0x000002d4
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2844
process_handle: 0x000002d4
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¥×šeà Æ Žå @ @ 4å W   H.text”Å Æ  `.rsrc È @@.reloc Î @B
base_address: 0x00400000
process_identifier: 2844
process_handle: 0x000002d4
1 1 0
Process injection Process 2564 called NtSetContextThread to modify thread in remote process 2844
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 2292440
registers.edi: 0
registers.eax: 5039502
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002d0
process_identifier: 2844
1 0 0
Process injection Process 2564 resumed a thread in remote process 2844
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002d0
suspend_count: 1
process_identifier: 2844
1 0 0
dead_host 194.26.29.153:15648
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2564
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2564
1 0 0

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 2564
1 0 0

NtResumeThread

 thread_handle: 0x00000280
suspend_count: 1
process_identifier: 2564
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2564
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2564
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtGetContextThread

 thread_handle: 0x000000e4
1 0 0

NtResumeThread

 thread_handle: 0x000000e4
suspend_count: 1
process_identifier: 2564
1 0 0

CreateProcessInternalW

 thread_identifier: 2848
thread_handle: 0x000002d0
process_identifier: 2844
current_directory:
filepath:
track: 1
command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
filepath_r:
stack_pivoted: 0
creation_flags: 564 (CREATE_NEW_CONSOLE|CREATE_NEW_PROCESS_GROUP|CREATE_SUSPENDED|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x000002d4
1 1 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 7798784
process_identifier: 2844
process_handle: 0x000002d4
3221225497 0

NtAllocateVirtualMemory

 process_identifier: 2844
region_size: 868352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002d4
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¥×šeà Æ Žå @ @ 4å W   H.text”Å Æ  `.rsrc È @@.reloc Î @B
base_address: 0x00400000
process_identifier: 2844
process_handle: 0x000002d4
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00402000
process_identifier: 2844
process_handle: 0x000002d4
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€  Ôt êÔ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.08 InternalNamebladfin.exe&LegalCopyright*LegalTrademarks@ OriginalFilenamebladfin.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x004d0000
process_identifier: 2844
process_handle: 0x000002d4
1 1 0

WriteProcessMemory

 buffer: à 5
base_address: 0x004d2000
process_identifier: 2844
process_handle: 0x000002d4
1 1 0

NtGetContextThread

 thread_handle: 0x000002d0
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2844
process_handle: 0x000002d4
1 1 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 2292440
registers.edi: 0
registers.eax: 5039502
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002d0
process_identifier: 2844
1 0 0

NtResumeThread

 thread_handle: 0x000002d0
suspend_count: 1
process_identifier: 2844
1 0 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2844
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2844
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 2844
1 0 0

NtResumeThread

 thread_handle: 0x00000354
suspend_count: 1
process_identifier: 2844
1 0 0
Bkav W32.AIDetectMalware.CS
Lionic Trojan.Win32.Redline.i!c
Elastic malicious (high confidence)
ALYac Trojan.GenericKD.72797392
Cylance Unsafe
VIPRE Trojan.GenericKD.72797392
Sangfor Infostealer.Msil.Kryptik.V7dw
K7AntiVirus Trojan ( 005b29731 )
BitDefender Trojan.GenericKD.72797392
K7GW Trojan ( 005b29731 )
Cybereason malicious.73db4e
Arcabit Trojan.Generic.D456CCD0
Symantec MSIL.Packed.42
ESET-NOD32 a variant of MSIL/Kryptik.AKWD
Avast Win32:CrypterX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Reline.gen
Alibaba TrojanPSW:MSIL/Reline.4b88e802
NANO-Antivirus Trojan.Win32.Reline.kjgdio
MicroWorld-eScan Trojan.GenericKD.72797392
Rising Malware.Obfus/MSIL@AI.90 (RDM.MSIL2:tDHYJxnbdaqSRkERmTsQ/Q)
Emsisoft Trojan.GenericKD.72797392 (B)
F-Secure Trojan.TR/AD.Nekark.lutjp
DrWeb Trojan.Inject5.2255
Zillya Trojan.Kryptik.Win32.4552748
TrendMicro TrojanSpy.Win32.REDLINE.YXEBGZ
McAfeeD ti!0A5355F8E8A6
FireEye Trojan.GenericKD.72797392
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Crypt
Google Detected
Avira TR/AD.Nekark.lutjp
MAX malware (ai score=80)
Antiy-AVL Trojan/Win32.Sabsik
Kingsoft Win32.Troj.Generic.v
Gridinsoft Trojan.Win32.RisePro.mz!c
Xcitium Malware@#3twa4qkkvsktc
Microsoft Trojan:MSIL/Redline.CBYZ!MTB
ViRobot Trojan.Win.Z.Agent.5712768
ZoneAlarm HEUR:Trojan-PSW.MSIL.Reline.gen
GData Trojan.GenericKD.72797392
Varist W32/MSIL_Kryptik.KIT.gen!Eldorado
AhnLab-V3 Suspicious/Win.MalPe.X2205
DeepInstinct MALICIOUS
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.MalPack.RND.Generic
Panda Trj/Chgt.AD
TrendMicro-HouseCall TrojanSpy.Win32.REDLINE.YXEBGZ
Tencent Malware.Win32.Gencirc.11bdbb64
SentinelOne Static AI - Malicious PE
Fortinet MSIL/GenKryptik.FZFN!tr