16.4
0-day
60 个模型检测该样本为恶意!
重新分析
更多

a777ac93ff0c17ae3f7d317ac3a4f01584bf17dd2d00353adc398e5b1723556b

b362e0f04e718346cf99ed3364150a1a.exe

分析耗时

131s

最近分析

文件大小

566.0KB
静态报毒 动态报毒 100% 7K6PLF AGENSLA AGENTTESLA AI SCORE=100 AREG AVSARHER BLADAB BTJEKX CONFIDENCE DYSHPF ELDORADO FAREIT GENERICKD HIGH CONFIDENCE HVAAEF JM0@A45N3DE KCLOUD KRYPTIK KTSE LSBOZ MALWARE@#2FN00S7Y41UZ1 MICROJOIN NEGASTEAL PDVM PSWTROJ QQPASS QQROB R + TROJ R350909 SCORE SIGGEN10 SUSGEN TROJANPSW TROJANX TSCOPE UNSAFE URSU YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanPSW:MSIL/AgentTesla.8572870e 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20210204 21.1.5827.0
Kingsoft Win32.PSWTroj.Undef.(kcloud) 20210204 2017.9.26.565
McAfee Fareit-FZD!B362E0F04E71 20210204 6.0.6.653
Tencent Msil.Trojan-qqpass.Qqrob.Pdvm 20210204 1.0.0.1
静态指标
Queries for the computername (17 个事件)
Time & API Arguments Status Return Repeated
1620910040.586626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910073.556124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910076.525124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910076.572124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910077.134124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910079.040124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910079.103124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910079.181124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910079.384124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910084.212124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910089.494124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910094.447124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910099.103124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910053.821876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910059.586876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910066.399876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620910069.696876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (17 个事件)
Time & API Arguments Status Return Repeated
1620909985.399751
IsDebuggerPresent
failed 0 0
1620910039.336751
IsDebuggerPresent
failed 0 0
1620910039.836751
IsDebuggerPresent
failed 0 0
1620910040.352751
IsDebuggerPresent
failed 0 0
1620910040.836751
IsDebuggerPresent
failed 0 0
1620910041.352751
IsDebuggerPresent
failed 0 0
1620910041.836751
IsDebuggerPresent
failed 0 0
1620910042.352751
IsDebuggerPresent
failed 0 0
1620910042.836751
IsDebuggerPresent
failed 0 0
1620910043.368751
IsDebuggerPresent
failed 0 0
1620910043.868751
IsDebuggerPresent
failed 0 0
1620910044.368751
IsDebuggerPresent
failed 0 0
1620910044.868751
IsDebuggerPresent
failed 0 0
1620910045.368751
IsDebuggerPresent
failed 0 0
1620910050.244124
IsDebuggerPresent
failed 0 0
1620910050.244124
IsDebuggerPresent
failed 0 0
1620910051.680876
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1620910041.430626
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\hFBaGGUrrp"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620910021.821751
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (19 个事件)
Time & API Arguments Status Return Repeated
1620910064.197124
__exception__
stacktrace: 
0x6d7c6c
0x6d31de
0x2ea271
system+0x222b78 @ 0x6cdf2b78
system+0x222650 @ 0x6cdf2650
system+0x2157c3 @ 0x6cde57c3
system+0x2155c0 @ 0x6cde55c0
system+0x221537 @ 0x6cdf1537
system+0x217408 @ 0x6cde7408
system+0x2202aa @ 0x6cdf02aa
system+0x221460 @ 0x6cdf1460
system+0x220129 @ 0x6cdf0129
system+0x2170f3 @ 0x6cde70f3
system+0x217071 @ 0x6cde7071
system+0x216fb6 @ 0x6cde6fb6
0x9709e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
system+0x214a17 @ 0x6cde4a17
system+0x21f8fb @ 0x6cdef8fb
system+0x212c60 @ 0x6cde2c60
system+0x226d9d @ 0x6cdf6d9d
system+0x226c81 @ 0x6cdf6c81
0x6d14b5
0x6d0ff7
0x6d0a48
0x6d0135
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x6f1821db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x6f1a4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x6f1a4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x6f1a4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x6f1a4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x6f26ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x6f26cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x6f26cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x6f26d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x6f26d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x6f2eaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4253084
registers.edi: 4254032
registers.eax: 0
registers.ebp: 4253236
registers.edx: 0
registers.ebx: 10807656
registers.esi: 40310428
registers.ecx: 40609812
exception.instruction_r: 8b 40 04 89 45 e4 33 d2 89 55 f0 90 eb 6e 8b 45
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6dba77
success 0 0
1620910082.275124
__exception__
stacktrace: 
0x65e600d
0x6d38ed
0x2ea271
system+0x222b78 @ 0x6cdf2b78
system+0x222650 @ 0x6cdf2650
system+0x2157c3 @ 0x6cde57c3
system+0x2155c0 @ 0x6cde55c0
system+0x221537 @ 0x6cdf1537
system+0x217408 @ 0x6cde7408
system+0x2202aa @ 0x6cdf02aa
system+0x221460 @ 0x6cdf1460
system+0x220129 @ 0x6cdf0129
system+0x2170f3 @ 0x6cde70f3
system+0x217071 @ 0x6cde7071
system+0x216fb6 @ 0x6cde6fb6
0x9709e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
system+0x214a17 @ 0x6cde4a17
system+0x21f8fb @ 0x6cdef8fb
system+0x212c60 @ 0x6cde2c60
system+0x226d9d @ 0x6cdf6d9d
system+0x226c81 @ 0x6cdf6c81
0x6d14b5
0x6d0ff7
0x6d0a48
0x6d0135
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x6f1821db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x6f1a4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x6f1a4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x6f1a4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x6f1a4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x6f26ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x6f26cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x6f26cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x6f26d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x6f26d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x6f2eaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4253076
registers.edi: 4253968
registers.eax: 0
registers.ebp: 4253228
registers.edx: 0
registers.ebx: 10807656
registers.esi: 4253872
registers.ecx: 41479532
exception.instruction_r: 8b 40 04 89 45 e4 33 d2 89 55 f0 90 eb 6e 8b 45
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6dba77
success 0 0
1620910082.353124
__exception__
stacktrace: 
0x65e63bd
0x6d38f4
0x2ea271
system+0x222b78 @ 0x6cdf2b78
system+0x222650 @ 0x6cdf2650
system+0x2157c3 @ 0x6cde57c3
system+0x2155c0 @ 0x6cde55c0
system+0x221537 @ 0x6cdf1537
system+0x217408 @ 0x6cde7408
system+0x2202aa @ 0x6cdf02aa
system+0x221460 @ 0x6cdf1460
system+0x220129 @ 0x6cdf0129
system+0x2170f3 @ 0x6cde70f3
system+0x217071 @ 0x6cde7071
system+0x216fb6 @ 0x6cde6fb6
0x9709e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
system+0x214a17 @ 0x6cde4a17
system+0x21f8fb @ 0x6cdef8fb
system+0x212c60 @ 0x6cde2c60
system+0x226d9d @ 0x6cdf6d9d
system+0x226c81 @ 0x6cdf6c81
0x6d14b5
0x6d0ff7
0x6d0a48
0x6d0135
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x6f1821db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x6f1a4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x6f1a4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x6f1a4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x6f1a4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x6f26ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x6f26cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x6f26cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x6f26d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x6f26d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x6f2eaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4253076
registers.edi: 4253968
registers.eax: 0
registers.ebp: 4253228
registers.edx: 0
registers.ebx: 10807656
registers.esi: 4253872
registers.ecx: 41489320
exception.instruction_r: 8b 40 04 89 45 e4 33 d2 89 55 f0 90 eb 6e 8b 45
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6dba77
success 0 0
1620910082.462124
__exception__
stacktrace: 
0x65e676d
0x6d38fb
0x2ea271
system+0x222b78 @ 0x6cdf2b78
system+0x222650 @ 0x6cdf2650
system+0x2157c3 @ 0x6cde57c3
system+0x2155c0 @ 0x6cde55c0
system+0x221537 @ 0x6cdf1537
system+0x217408 @ 0x6cde7408
system+0x2202aa @ 0x6cdf02aa
system+0x221460 @ 0x6cdf1460
system+0x220129 @ 0x6cdf0129
system+0x2170f3 @ 0x6cde70f3
system+0x217071 @ 0x6cde7071
system+0x216fb6 @ 0x6cde6fb6
0x9709e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
system+0x214a17 @ 0x6cde4a17
system+0x21f8fb @ 0x6cdef8fb
system+0x212c60 @ 0x6cde2c60
system+0x226d9d @ 0x6cdf6d9d
system+0x226c81 @ 0x6cdf6c81
0x6d14b5
0x6d0ff7
0x6d0a48
0x6d0135
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x6f1821db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x6f1a4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x6f1a4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x6f1a4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x6f1a4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x6f26ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x6f26cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x6f26cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x6f26d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x6f26d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x6f2eaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4253076
registers.edi: 4253968
registers.eax: 0
registers.ebp: 4253228
registers.edx: 0
registers.ebx: 10807656
registers.esi: 4253872
registers.ecx: 41492304
exception.instruction_r: 8b 40 04 89 45 e4 33 d2 89 55 f0 90 eb 6e 8b 45
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6dba77
success 0 0
1620910082.509124
__exception__
stacktrace: 
0x65e6b1d
0x6d3902
0x2ea271
system+0x222b78 @ 0x6cdf2b78
system+0x222650 @ 0x6cdf2650
system+0x2157c3 @ 0x6cde57c3
system+0x2155c0 @ 0x6cde55c0
system+0x221537 @ 0x6cdf1537
system+0x217408 @ 0x6cde7408
system+0x2202aa @ 0x6cdf02aa
system+0x221460 @ 0x6cdf1460
system+0x220129 @ 0x6cdf0129
system+0x2170f3 @ 0x6cde70f3
system+0x217071 @ 0x6cde7071
system+0x216fb6 @ 0x6cde6fb6
0x9709e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
system+0x214a17 @ 0x6cde4a17
system+0x21f8fb @ 0x6cdef8fb
system+0x212c60 @ 0x6cde2c60
system+0x226d9d @ 0x6cdf6d9d
system+0x226c81 @ 0x6cdf6c81
0x6d14b5
0x6d0ff7
0x6d0a48
0x6d0135
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x6f1821db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x6f1a4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x6f1a4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x6f1a4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x6f1a4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x6f26ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x6f26cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x6f26cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x6f26d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x6f26d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x6f2eaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4253076
registers.edi: 4253968
registers.eax: 0
registers.ebp: 4253228
registers.edx: 0
registers.ebx: 10807656
registers.esi: 4253872
registers.ecx: 41495248
exception.instruction_r: 8b 40 04 89 45 e4 33 d2 89 55 f0 90 eb 6e 8b 45
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6dba77
success 0 0
1620910082.540124
__exception__
stacktrace: 
0x65e6ecd
0x6d3909
0x2ea271
system+0x222b78 @ 0x6cdf2b78
system+0x222650 @ 0x6cdf2650
system+0x2157c3 @ 0x6cde57c3
system+0x2155c0 @ 0x6cde55c0
system+0x221537 @ 0x6cdf1537
system+0x217408 @ 0x6cde7408
system+0x2202aa @ 0x6cdf02aa
system+0x221460 @ 0x6cdf1460
system+0x220129 @ 0x6cdf0129
system+0x2170f3 @ 0x6cde70f3
system+0x217071 @ 0x6cde7071
system+0x216fb6 @ 0x6cde6fb6
0x9709e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
system+0x214a17 @ 0x6cde4a17
system+0x21f8fb @ 0x6cdef8fb
system+0x212c60 @ 0x6cde2c60
system+0x226d9d @ 0x6cdf6d9d
system+0x226c81 @ 0x6cdf6c81
0x6d14b5
0x6d0ff7
0x6d0a48
0x6d0135
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x6f1821db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x6f1a4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x6f1a4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x6f1a4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x6f1a4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x6f26ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x6f26cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x6f26cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x6f26d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x6f26d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x6f2eaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4253076
registers.edi: 4253968
registers.eax: 0
registers.ebp: 4253228
registers.edx: 0
registers.ebx: 10807656
registers.esi: 4253872
registers.ecx: 41498148
exception.instruction_r: 8b 40 04 89 45 e4 33 d2 89 55 f0 90 eb 6e 8b 45
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6dba77
success 0 0
1620910082.556124
__exception__
stacktrace: 
0x65e727d
0x6d3910
0x2ea271
system+0x222b78 @ 0x6cdf2b78
system+0x222650 @ 0x6cdf2650
system+0x2157c3 @ 0x6cde57c3
system+0x2155c0 @ 0x6cde55c0
system+0x221537 @ 0x6cdf1537
system+0x217408 @ 0x6cde7408
system+0x2202aa @ 0x6cdf02aa
system+0x221460 @ 0x6cdf1460
system+0x220129 @ 0x6cdf0129
system+0x2170f3 @ 0x6cde70f3
system+0x217071 @ 0x6cde7071
system+0x216fb6 @ 0x6cde6fb6
0x9709e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
system+0x214a17 @ 0x6cde4a17
system+0x21f8fb @ 0x6cdef8fb
system+0x212c60 @ 0x6cde2c60
system+0x226d9d @ 0x6cdf6d9d
system+0x226c81 @ 0x6cdf6c81
0x6d14b5
0x6d0ff7
0x6d0a48
0x6d0135
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x6f1821db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x6f1a4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x6f1a4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x6f1a4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x6f1a4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x6f26ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x6f26cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x6f26cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x6f26d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x6f26d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x6f2eaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4253076
registers.edi: 4253968
registers.eax: 0
registers.ebp: 4253228
registers.edx: 0
registers.ebx: 10807656
registers.esi: 4253872
registers.ecx: 41501040
exception.instruction_r: 8b 40 04 89 45 e4 33 d2 89 55 f0 90 eb 6e 8b 45
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6dba77
success 0 0
1620910082.572124
__exception__
stacktrace: 
0x65e762d
0x6d3917
0x2ea271
system+0x222b78 @ 0x6cdf2b78
system+0x222650 @ 0x6cdf2650
system+0x2157c3 @ 0x6cde57c3
system+0x2155c0 @ 0x6cde55c0
system+0x221537 @ 0x6cdf1537
system+0x217408 @ 0x6cde7408
system+0x2202aa @ 0x6cdf02aa
system+0x221460 @ 0x6cdf1460
system+0x220129 @ 0x6cdf0129
system+0x2170f3 @ 0x6cde70f3
system+0x217071 @ 0x6cde7071
system+0x216fb6 @ 0x6cde6fb6
0x9709e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
system+0x214a17 @ 0x6cde4a17
system+0x21f8fb @ 0x6cdef8fb
system+0x212c60 @ 0x6cde2c60
system+0x226d9d @ 0x6cdf6d9d
system+0x226c81 @ 0x6cdf6c81
0x6d14b5
0x6d0ff7
0x6d0a48
0x6d0135
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x6f1821db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x6f1a4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x6f1a4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x6f1a4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x6f1a4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x6f26ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x6f26cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x6f26cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x6f26d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x6f26d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x6f2eaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4253076
registers.edi: 4253968
registers.eax: 0
registers.ebp: 4253228
registers.edx: 0
registers.ebx: 10807656
registers.esi: 4253872
registers.ecx: 41503952
exception.instruction_r: 8b 40 04 89 45 e4 33 d2 89 55 f0 90 eb 6e 8b 45
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6dba77
success 0 0
1620910082.587124
__exception__
stacktrace: 
0x65e79dd
0x6d391e
0x2ea271
system+0x222b78 @ 0x6cdf2b78
system+0x222650 @ 0x6cdf2650
system+0x2157c3 @ 0x6cde57c3
system+0x2155c0 @ 0x6cde55c0
system+0x221537 @ 0x6cdf1537
system+0x217408 @ 0x6cde7408
system+0x2202aa @ 0x6cdf02aa
system+0x221460 @ 0x6cdf1460
system+0x220129 @ 0x6cdf0129
system+0x2170f3 @ 0x6cde70f3
system+0x217071 @ 0x6cde7071
system+0x216fb6 @ 0x6cde6fb6
0x9709e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
system+0x214a17 @ 0x6cde4a17
system+0x21f8fb @ 0x6cdef8fb
system+0x212c60 @ 0x6cde2c60
system+0x226d9d @ 0x6cdf6d9d
system+0x226c81 @ 0x6cdf6c81
0x6d14b5
0x6d0ff7
0x6d0a48
0x6d0135
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x6f1821db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x6f1a4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x6f1a4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x6f1a4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x6f1a4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x6f26ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x6f26cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x6f26cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x6f26d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x6f26d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x6f2eaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4253076
registers.edi: 4253968
registers.eax: 0
registers.ebp: 4253228
registers.edx: 0
registers.ebx: 10807656
registers.esi: 4253872
registers.ecx: 41506844
exception.instruction_r: 8b 40 04 89 45 e4 33 d2 89 55 f0 90 eb 6e 8b 45
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6dba77
success 0 0
1620910086.322124
__exception__
stacktrace: 
0x65e921b
0x6d3a8e
0x2ea271
system+0x222b78 @ 0x6cdf2b78
system+0x222650 @ 0x6cdf2650
system+0x2157c3 @ 0x6cde57c3
system+0x2155c0 @ 0x6cde55c0
system+0x221537 @ 0x6cdf1537
system+0x217408 @ 0x6cde7408
system+0x2202aa @ 0x6cdf02aa
system+0x221460 @ 0x6cdf1460
system+0x220129 @ 0x6cdf0129
system+0x2170f3 @ 0x6cde70f3
system+0x217071 @ 0x6cde7071
system+0x216fb6 @ 0x6cde6fb6
0x9709e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
system+0x214a17 @ 0x6cde4a17
system+0x21f8fb @ 0x6cdef8fb
system+0x212c60 @ 0x6cde2c60
system+0x226d9d @ 0x6cdf6d9d
system+0x226c81 @ 0x6cdf6c81
0x6d14b5
0x6d0ff7
0x6d0a48
0x6d0135
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x6f1821db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x6f1a4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x6f1a4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x6f1a4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x6f1a4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x6f26ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x6f26cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x6f26cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x6f26d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x6f26d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x6f2eaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4253224
registers.edi: 4253300
registers.eax: 0
registers.ebp: 4253316
registers.edx: 8
registers.ebx: 10807656
registers.esi: 40310428
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 a4 8b 45 a4 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x65e9448
success 0 0
1620910091.259124
__exception__
stacktrace: 
0x65e9bfa
0x6d3aa7
0x2ea271
system+0x222b78 @ 0x6cdf2b78
system+0x222650 @ 0x6cdf2650
system+0x2157c3 @ 0x6cde57c3
system+0x2155c0 @ 0x6cde55c0
system+0x221537 @ 0x6cdf1537
system+0x217408 @ 0x6cde7408
system+0x2202aa @ 0x6cdf02aa
system+0x221460 @ 0x6cdf1460
system+0x220129 @ 0x6cdf0129
system+0x2170f3 @ 0x6cde70f3
system+0x217071 @ 0x6cde7071
system+0x216fb6 @ 0x6cde6fb6
0x9709e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
system+0x214a17 @ 0x6cde4a17
system+0x21f8fb @ 0x6cdef8fb
system+0x212c60 @ 0x6cde2c60
system+0x226d9d @ 0x6cdf6d9d
system+0x226c81 @ 0x6cdf6c81
0x6d14b5
0x6d0ff7
0x6d0a48
0x6d0135
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x6f1821db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x6f1a4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x6f1a4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x6f1a4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x6f1a4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x6f26ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x6f26cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x6f26cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x6f26d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x6f26d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x6f2eaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4253224
registers.edi: 4253300
registers.eax: 0
registers.ebp: 4253316
registers.edx: 8
registers.ebx: 10807656
registers.esi: 40310428
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 a4 8b 45 a4 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x65e9448
success 0 0
1620910096.603124
__exception__
stacktrace: 
0x65e9d7a
0x6d3ac0
0x2ea271
system+0x222b78 @ 0x6cdf2b78
system+0x222650 @ 0x6cdf2650
system+0x2157c3 @ 0x6cde57c3
system+0x2155c0 @ 0x6cde55c0
system+0x221537 @ 0x6cdf1537
system+0x217408 @ 0x6cde7408
system+0x2202aa @ 0x6cdf02aa
system+0x221460 @ 0x6cdf1460
system+0x220129 @ 0x6cdf0129
system+0x2170f3 @ 0x6cde70f3
system+0x217071 @ 0x6cde7071
system+0x216fb6 @ 0x6cde6fb6
0x9709e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
system+0x214a17 @ 0x6cde4a17
system+0x21f8fb @ 0x6cdef8fb
system+0x212c60 @ 0x6cde2c60
system+0x226d9d @ 0x6cdf6d9d
system+0x226c81 @ 0x6cdf6c81
0x6d14b5
0x6d0ff7
0x6d0a48
0x6d0135
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x6f1821db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x6f1a4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x6f1a4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x6f1a4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x6f1a4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x6f26ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x6f26cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x6f26cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x6f26d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x6f26d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x6f2eaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4253224
registers.edi: 4253300
registers.eax: 0
registers.ebp: 4253316
registers.edx: 8
registers.ebx: 10807656
registers.esi: 40310428
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 a4 8b 45 a4 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x65e9448
success 0 0
1620910063.477876
__exception__
stacktrace: 
0x4755fd5
0x47553dd
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3732352
registers.edi: 3732380
registers.eax: 0
registers.ebp: 3732396
registers.edx: 158
registers.ebx: 3732572
registers.esi: 41421108
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 dc b8 29 bd b2 58 e9 62 ff
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4756435
success 0 0
1620910070.024876
__exception__
stacktrace: 
0x47581e3
0x4755bad
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3730548
registers.edi: 3730608
registers.eax: 0
registers.ebp: 3730624
registers.edx: 3730516
registers.ebx: 41614632
registers.esi: 41961392
registers.ecx: 0
exception.instruction_r: 39 09 e8 ca 83 90 6d 89 45 b8 33 d2 89 55 dc 8b
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x475c457
success 0 0
1620910070.024876
__exception__
stacktrace: 
0x4758237
0x4755bad
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3730516
registers.edi: 0
registers.eax: 16972756
registers.ebp: 3730624
registers.edx: 14
registers.ebx: 41614632
registers.esi: 373400646
registers.ecx: 0
exception.instruction_r: 39 09 e8 e9 7c 90 6d 83 78 04 00 0f 84 c8 02 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x475cb38
success 0 0
1620910072.055876
__exception__
stacktrace: 
0x4758d08
0x4755bad
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3730568
registers.edi: 3730608
registers.eax: 3
registers.ebp: 3730624
registers.edx: 0
registers.ebx: 41614632
registers.esi: 42274936
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 5c 39 00 89 45 c8 b8 ea 82 1f 7e eb
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5346174
success 0 0
1620910072.555876
__exception__
stacktrace: 
0x4755bad
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3730632
registers.edi: 1060668879
registers.eax: 0
registers.ebp: 3732444
registers.edx: 6
registers.ebx: 41614632
registers.esi: 732313830
registers.ecx: 11
exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 8b 95 74 f9 ff ff
exception.instruction: cmp dword ptr [eax + 8], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4758833
success 0 0
1620910073.149876
__exception__
stacktrace: 
0x4759163
0x4755bad
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3730556
registers.edi: 42964108
registers.eax: 42966748
registers.ebp: 3730624
registers.edx: 42966748
registers.ebx: 42962296
registers.esi: 0
registers.ecx: 1911774966
exception.instruction_r: 39 06 68 ff ff ff 7f 6a 00 8b ce e8 f4 fe c1 6c
exception.instruction: cmp dword ptr [esi], eax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x54e427c
success 0 0
1620910073.774876
__exception__
stacktrace: 
_vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77da9e31
IsBadReadPtr+0xcc CreateSemaphoreA-0x31 kernel32+0x3d141 @ 0x7637d141
OleCreateFromData+0x195 NdrProxyForwardingFunction4-0x81f ole32+0xc586d @ 0x767b586d
ObjectStublessClient31+0x886b STGMEDIUM_UserUnmarshal-0x20e43 ole32+0x998db @ 0x767898db
DllRegisterServerInternal+0x3df02 GetPrivateContextsPerfCounters-0x19797 mscorwks+0x94168 @ 0x73fc4168
0x56b942
system+0x7a24ea @ 0x71aa24ea
system+0x7a30b4 @ 0x71aa30b4
system+0x7a2c0a @ 0x71aa2c0a
system+0x7a0de4 @ 0x71aa0de4
system+0x79e6da @ 0x71a9e6da
system+0x79f065 @ 0x71a9f065
microsoft+0x12fb46 @ 0x7371fb46
0x4754f18
system+0x1f84fa @ 0x714f84fa
0x7c0ebc
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
0x54eac14
0x4755bf4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3731036
registers.edi: 4456448
registers.eax: 4294967288
registers.ebp: 3731080
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 4456448
exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84
exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58
exception.instruction: cmp byte ptr [eax + 7], 5
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 499288
exception.address: 0x77da9e58
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 280 个事件)
Time & API Arguments Status Return Repeated
1620909984.477751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00700000
success 0 0
1620909984.477751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00800000
success 0 0
1620909985.243751
NtProtectVirtualMemory
process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1620909985.414751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ca000
success 0 0
1620909985.414751
NtProtectVirtualMemory
process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1620909985.414751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c2000
success 0 0
1620909985.868751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d2000
success 0 0
1620909986.039751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d3000
success 0 0
1620909986.071751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0060b000
success 0 0
1620909986.071751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00607000
success 0 0
1620909986.118751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005dc000
success 0 0
1620909986.883751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d4000
success 0 0
1620909986.899751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d5000
success 0 0
1620909986.914751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d6000
success 0 0
1620909986.930751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00710000
success 0 0
1620909987.008751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ea000
success 0 0
1620909987.008751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e7000
success 0 0
1620909987.008751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005fa000
success 0 0
1620909987.055751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005cb000
success 0 0
1620909987.352751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e6000
success 0 0
1620909987.368751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x008b0000
success 0 0
1620909987.368751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b0000
success 0 0
1620909987.368751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b1000
success 0 0
1620909987.399751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b2000
success 0 0
1620909987.430751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d7000
success 0 0
1620909987.446751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00711000
success 0 0
1620909987.461751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b3000
success 0 0
1620909987.461751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b4000
success 0 0
1620909987.493751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00712000
success 0 0
1620909987.493751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b5000
success 0 0
1620909987.696751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02090000
success 0 0
1620909987.789751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005f2000
success 0 0
1620909987.789751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005fc000
success 0 0
1620909987.993751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00605000
success 0 0
1620909988.024751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005da000
success 0 0
1620909988.086751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d8000
success 0 0
1620909988.118751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c3000
success 0 0
1620909988.118751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005eb000
success 0 0
1620909988.243751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d9000
success 0 0
1620909988.321751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04540000
success 0 0
1620910021.383751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00713000
success 0 0
1620910021.539751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00801000
success 0 0
1620910021.993751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05750000
success 0 0
1620910022.086751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00714000
success 0 0
1620910022.243751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02091000
success 0 0
1620910022.243751
NtProtectVirtualMemory
process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 395776
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x059b0400
failed 3221225550 0
1620910037.711751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00715000
success 0 0
1620910037.711751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00716000
success 0 0
1620910037.743751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00717000
success 0 0
1620910037.883751
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00718000
success 0 0
Steals private information from local Internet browsers (16 个事件)
file C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\Administrator\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file C:\Users\All Users\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Default\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Public\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Oskar\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Default User\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
Creates executable files on the filesystem (3 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\hFBaGGUrrp.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\drg.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\pilo.exe
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hFBaGGUrrp" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp31D4.tmp"
cmdline schtasks.exe /Create /TN "Updates\hFBaGGUrrp" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp31D4.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1620910040.211751
ShellExecuteExW
parameters: /Create /TN "Updates\hFBaGGUrrp" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp31D4.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.919299512855426 section {'size_of_data': '0x00089200', 'virtual_address': '0x00002000', 'entropy': 7.919299512855426, 'name': '.text', 'virtual_size': '0x000891c8'} description A section with a high entropy has been found
entropy 0.9699381078691424 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1620910022.243751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620910053.133876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1620910044.352751
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 880
process_handle: 0x0000cfb8
failed 0 0
1620910044.352751
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 880
process_handle: 0x0000cfb8
success 0 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hFBaGGUrrp" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp31D4.tmp"
cmdline schtasks.exe /Create /TN "Updates\hFBaGGUrrp" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp31D4.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1620910044.008751
NtAllocateVirtualMemory
process_identifier: 880
region_size: 271194
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000ee18
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1620910044.633751
NtAllocateVirtualMemory
process_identifier: 1816
region_size: 274432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00004928
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description pilo.exe tried to sleep 2728220 seconds, actually delayed analysis time by 2728220 seconds
Installs itself for autorun at Windows startup (2 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater reg_value C:\Users\ADMINI~1.OSK\AppData\Local\Temp\cc3a68ce1dad95ce662e1c51f1568e3a.exe / start
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\opAYSR reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\opAYSR\opAYSR.exe
Harvests credentials from local FTP client softwares (11 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file C:\Users\Administrator\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\All Users\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\Default\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\Public\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\Oskar\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\Default User\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Harvests information related to installed instant messenger clients (7 个事件)
file C:\Users\All Users\AppData\Roaming\.purple\accounts.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml
file C:\Users\Oskar\AppData\Roaming\.purple\accounts.xml
file C:\Users\Default User\AppData\Roaming\.purple\accounts.xml
file C:\Users\Public\AppData\Roaming\.purple\accounts.xml
file C:\Users\Administrator\AppData\Roaming\.purple\accounts.xml
file C:\Users\Default\AppData\Roaming\.purple\accounts.xml
Manipulates memory of a non-child process indicative of process injection (2 个事件)
Process injection Process 2236 manipulating memory of non-child process 880
Time & API Arguments Status Return Repeated
1620910044.008751
NtAllocateVirtualMemory
process_identifier: 880
region_size: 271194
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000ee18
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1620910044.633751
WriteProcessMemory
process_identifier: 1816
buffer: MZÿÿ@@´LÍ!@PELëÙzAà  Á @Z#¨(Ø.textl à.rsrcZ Z@À
process_handle: 0x00004928
base_address: 0x00400000
success 1 0
1620910044.633751
WriteProcessMemory
process_identifier: 1816
buffer: kernel32shell32user32advapi32~@ÖÖÀPf]¹,ÿæz*Æ8»u»ñ¯Š•Ü)¹ ­Y ÐöÂEÅØX{*FI?ô`qRŸxjëšVNÒ8Ù§H§u—„›Pò3ƛM™@¤@µ@l@openDllRegisterServerÐðØàà¤LoadLibraryAkernel32.dlluser32.dll`‹{`²€¤¶€ÿsù3Éÿs3Àÿs#¶€A°ÿÀsúuBªëàèPöƒÙuèBë(¬ÑètGÉë‘HÁà¬è,=}s €üsƒøwAA•‹Å¶V‹÷+ðó¤^ë—ÒuŠFÒÃ3ÉAÿÉÿrøÃ+{`‰|$aÃV‰cdÆE­’­PVÿSXVÿSX­PR‰shÿSXVhôU‹K„Òt#ÐêrÐêrÐêrZY‹shÿSTëÿS ëÿSë ‹K<XZPRÿр}u²ëÀ‹ý¹ô‹S\‹õÿST°\ò®QÆGÿjUÿS8ÆGÿ\YAâéUQCpPUÿS^‹ÖÿSPƒÁ )Kl‹ÕÿSPÁ,$ sTüë`UÿS,aý<°\ò®‹×BBü3ÉÿST3ÀPÿt$±QPQÁáQUÿS‹ø@„‹Kl㠐èƒþÿÿ‹s`‹È‹ÁHÀ 0uùPClPQVWÿS(WÿS_Ñïs €É‹õºl@ÿSTXZÑïs6‹4$PTRh€ÿS@‹ÕÿSPÑÆBÿ RÿST‹ÕÿSPQUjjUÿt$ÿSDZÆBÿXÑïsUèf Àth–@PÿSH ÀtÿÐÑïrZÑïs<WR¿l@hôWjÿS0‹×ÿSPùý°\ò®3ÀüGª´ZW‹ÍÈQÈQRÈQÿS4ºl@_YjjjjjjjQÿs\RUCpPjh@j<TÿS ÀtÑïs jÿÿt$<ÿSLÿt$<ÿS‹cd^Ã3ÉA€|ÿuøìãÀÀÀȈB„ÀuðÃÀ¬ÿKl„Àuõÿ@_!j XjY`W莕‹U<‹t*xt.­‘­P­Œ­ÅP‹ò­Å3ÒÁÂ2@€8uõ‹$ƒ$‹û9u·ÁàD$ŋū믃?uãâÈXXaHø⟽l@ƅ¾Z#DhúQÿS$‰C`ƒî‹㠉Kl+ñè?ýÿÿëíQÿS ÿ%Ø@
process_handle: 0x00004928
base_address: 0x00401000
success 1 0
1620910044.664751
WriteProcessMemory
process_identifier: 1816
buffer: @
process_handle: 0x00004928
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1620910044.633751
WriteProcessMemory
process_identifier: 1816
buffer: MZÿÿ@@´LÍ!@PELëÙzAà  Á @Z#¨(Ø.textl à.rsrcZ Z@À
process_handle: 0x00004928
base_address: 0x00400000
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1620910073.821876
SetWindowsHookExW
thread_identifier: 0
callback_function: 0x007c28a2
module_address: 0x00ba0000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 524649 0
Harvests credentials from local email clients (6 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2236 called NtSetContextThread to modify thread in remote process 1816
Time & API Arguments Status Return Repeated
1620910044.664751
NtSetContextThread
thread_handle: 0x0000cfb8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4199361
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1816
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\opAYSR\opAYSR.exe:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (6 个事件)
Process injection Process 2236 resumed a thread in remote process 1816
Process injection Process 1816 resumed a thread in remote process 2544
Process injection Process 1816 resumed a thread in remote process 1160
Time & API Arguments Status Return Repeated
1620910045.383751
NtResumeThread
thread_handle: 0x0000cfb8
suspend_count: 1
process_identifier: 1816
success 0 0
1620910049.102374
NtResumeThread
thread_handle: 0x000001fc
suspend_count: 1
process_identifier: 2544
success 0 0
1620910050.836374
NtResumeThread
thread_handle: 0x00000164
suspend_count: 1
process_identifier: 1160
success 0 0
Generates some ICMP traffic
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-07 01:08:53

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49199 113.108.239.162 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49714 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.