Comments (30)
enzok
commented on July 19, 2024
1
Through the process of elimination, I believe I have narrowed this issue down to Adobe Acrobat 11. I started with a cleanly installed machine and just started adding and updating. Once I installed Acrobat 11, everything went to crap. I restored the previous snapshot and installed Acrobat 10. Powershell runs with CAPEMON. So my final config is Windows 10, Office 2010, JRE 8, PowerShell 5.1, Flash 28, and .NET 4.5. Although I suspect newer .NET versions will be just fine. I have not added any of the vc runtimes, but will probably do so once I have more time to test.
I think we can close this one out.
from cape.
doomedraven
commented on July 19, 2024
is the capemon containing already fix for ntdll reload?
from cape.
enzok
commented on July 19, 2024
yes, i tried with latest version and previous version (no reload.
from cape.
enzok
commented on July 19, 2024
2018-08-22 10:18:35,000 [root] INFO: Date set to: 08-22-18, time set to: 14:18:35
2018-08-22 10:18:35,046 [root] DEBUG: Starting analyzer from: C:\sypwnptsfq
2018-08-22 10:18:35,046 [root] DEBUG: Storing results at: C:\ZtsORiv
2018-08-22 10:18:35,046 [root] DEBUG: Pipe server name: \\.\PIPE\LwJJseUe
2018-08-22 10:18:35,046 [root] INFO: Analysis package "doc" has been specified.
2018-08-22 10:18:37,573 [root] DEBUG: Started auxiliary module Auxfile
2018-08-22 10:18:37,588 [root] DEBUG: Started auxiliary module Browser
2018-08-22 10:18:37,588 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2018-08-22 10:18:41,707 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2018-08-22 10:18:41,707 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2018-08-22 10:18:41,707 [root] DEBUG: Started auxiliary module DigiSig
2018-08-22 10:18:41,707 [root] DEBUG: Started auxiliary module Disguise
2018-08-22 10:18:41,707 [root] DEBUG: Started auxiliary module Human
2018-08-22 10:18:41,707 [root] DEBUG: Started auxiliary module Screenshots
2018-08-22 10:18:41,723 [root] DEBUG: Started auxiliary module Usage
2018-08-22 10:18:41,723 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL option
2018-08-22 10:18:41,723 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL_64 option
2018-08-22 10:18:50,474 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" with arguments ""C:\Users\xxx\AppData\Local\Temp\5bc978433646fa357d6b2c29ab45f6789b14379c224d2d3fc25d310cc7258733.doc" /q" with pid 1908
2018-08-22 10:18:50,474 [lib.api.process] INFO: DLL to inject is dll\WqFmdc.dll
2018-08-22 10:18:50,474 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-08-22 10:18:50,474 [lib.api.process] INFO: Option 'debug' with value '2' sent to monitor
2018-08-22 10:18:50,645 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1908
2018-08-22 10:18:52,658 [lib.api.process] INFO: Successfully resumed process with pid 1908
2018-08-22 10:18:52,658 [root] INFO: Added new process to list with pid: 1908
2018-08-22 10:18:53,032 [root] DEBUG: Process memory dumps enabled.
2018-08-22 10:18:53,313 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1908 at 0x73fe0000, image base 0x2f4c0000, stack from 0x265000-0x270000
2018-08-22 10:18:53,313 [root] INFO: Monitor successfully loaded in process with pid 1908.
2018-08-22 10:18:53,345 [root] DEBUG: DLL loaded at 0x73F50000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\Comctl32 (0x84000 bytes).
2018-08-22 10:18:53,500 [root] DEBUG: DLL loaded at 0x72340000: C:\Program Files (x86)\Microsoft Office\Office14\wwlib (0x127a000 bytes).
2018-08-22 10:18:53,563 [root] DEBUG: DLL loaded at 0x76C80000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2018-08-22 10:18:53,625 [root] DEBUG: DLL loaded at 0x73DA0000: C:\Program Files (x86)\Microsoft Office\Office14\gfx (0x1ab000 bytes).
2018-08-22 10:18:53,641 [root] DEBUG: DLL loaded at 0x74730000: C:\Windows\system32\WTSAPI32 (0xd000 bytes).
2018-08-22 10:18:53,687 [root] DEBUG: DLL loaded at 0x743C0000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2018-08-22 10:18:53,812 [root] DEBUG: DLL loaded at 0x70FA0000: C:\Program Files (x86)\Microsoft Office\Office14\oart (0x1392000 bytes).
2018-08-22 10:18:54,296 [root] DEBUG: DLL loaded at 0x6FDC0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\mso (0x11e0000 bytes).
2018-08-22 10:18:54,344 [root] DEBUG: DLL loaded at 0x73B60000: C:\Windows\system32\msi (0x240000 bytes).
2018-08-22 10:18:54,390 [root] DEBUG: DLL loaded at 0x74740000: C:\Windows\system32\apphelp (0x4c000 bytes).
2018-08-22 10:18:55,342 [root] DEBUG: DLL loaded at 0x739C0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32 (0x19e000 bytes).
2018-08-22 10:18:55,497 [root] INFO: Disabling sleep skipping.
2018-08-22 10:18:55,592 [root] DEBUG: DLL loaded at 0x6F9B0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf (0x40f000 bytes).
2018-08-22 10:18:55,857 [root] DEBUG: DLL loaded at 0x73710000: C:\Program Files (x86)\Microsoft Office\Office14\1033\wwintl (0xc9000 bytes).
2018-08-22 10:18:56,028 [root] DEBUG: DLL unloaded from 0x765C0000.
2018-08-22 10:18:56,105 [root] DEBUG: DLL loaded at 0x73650000: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSPTLS (0xbc000 bytes).
2018-08-22 10:18:56,153 [root] DEBUG: DLL loaded at 0x735D0000: C:\Windows\system32\UxTheme (0x80000 bytes).
2018-08-22 10:18:56,450 [root] DEBUG: DLL loaded at 0x6F860000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\riched20 (0x14f000 bytes).
2018-08-22 10:18:56,496 [root] DEBUG: DLL loaded at 0x6B330000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\MSORES (0x452a000 bytes).
2018-08-22 10:18:56,559 [root] DEBUG: DLL loaded at 0x6B0C0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\1033\MSOINTL (0x262000 bytes).
2018-08-22 10:18:56,605 [root] INFO: Announced 32-bit process name: pid: 125078576
2018-08-22 10:18:56,651 [lib.api.process] WARNING: The process with pid 125078576 is not alive, injection aborted
2018-08-22 10:18:56,651 [root] DEBUG: DLL loaded at 0x73970000: C:\Windows\system32\mscoree (0x4a000 bytes).
2018-08-22 10:18:56,684 [root] DEBUG: DLL loaded at 0x6B040000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2018-08-22 10:18:56,684 [root] DEBUG: DLL unloaded from 0x76790000.
2018-08-22 10:18:56,684 [root] DEBUG: DLL loaded at 0x743B0000: C:\Windows\system32\VERSION (0x9000 bytes).
2018-08-22 10:18:57,167 [root] DEBUG: DLL loaded at 0x73950000: C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC (0x20000 bytes).
2018-08-22 10:18:57,665 [root] DEBUG: DLL loaded at 0x6B020000: C:\Windows\system32\DwmApi (0x13000 bytes).
2018-08-22 10:18:58,134 [root] DEBUG: DLL loaded at 0x6AFC0000: C:\Windows\system32\Winspool.DRV (0x51000 bytes).
2018-08-22 10:18:58,368 [root] DEBUG: DLL loaded at 0x75510000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2018-08-22 10:18:58,368 [root] DEBUG: DLL unloaded from 0x750D0000.
2018-08-22 10:18:58,400 [root] DEBUG: DLL loaded at 0x6AF90000: C:\Windows\system32\POWRPROF (0x25000 bytes).
2018-08-22 10:18:58,461 [root] DEBUG: DLL loaded at 0x76830000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2018-08-22 10:18:58,461 [root] DEBUG: DLL loaded at 0x766D0000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2018-08-22 10:18:58,461 [root] DEBUG: DLL loaded at 0x764B0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2018-08-22 10:18:58,461 [root] DEBUG: DLL unloaded from 0x6AF90000.
2018-08-22 10:18:59,273 [root] DEBUG: DLL unloaded from 0x2F4C0000.
2018-08-22 10:18:59,319 [root] DEBUG: DLL loaded at 0x76830000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2018-08-22 10:18:59,319 [root] DEBUG: DLL loaded at 0x766D0000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2018-08-22 10:18:59,319 [root] DEBUG: DLL loaded at 0x764B0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2018-08-22 10:18:59,335 [root] DEBUG: DLL loaded at 0x76700000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2018-08-22 10:18:59,351 [root] DEBUG: DLL loaded at 0x6AEC0000: C:\Windows\system32\propsys (0xf5000 bytes).
2018-08-22 10:18:59,351 [root] DEBUG: DLL unloaded from 0x75510000.
2018-08-22 10:18:59,367 [root] DEBUG: DLL loaded at 0x74790000: C:\Windows\system32\ntmarta (0x21000 bytes).
2018-08-22 10:18:59,367 [root] DEBUG: DLL loaded at 0x75310000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2018-08-22 10:18:59,615 [root] DEBUG: DLL loaded at 0x749F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2018-08-22 10:18:59,615 [root] DEBUG: DLL loaded at 0x749B0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2018-08-22 10:18:59,615 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2018-08-22 10:18:59,788 [root] DEBUG: DLL loaded at 0x6AD60000: C:\Windows\System32\msxml6 (0x158000 bytes).
2018-08-22 10:18:59,835 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: msxml6.dll+8e249 74e1c41f, Fault Address: 0068dfc8, Esp: 00264ef0, Exception Code: e0000002, msxml6.dll+e22e7 msxml6.dll+bf131 msxml6.dll+674cf msxml6.dll+6a113 msxml6.dll+680bb mso.dll+25d04e m
2018-08-22 10:18:59,835 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: msxml6.dll+8e249 74e1c41f, Fault Address: 0068dfc8, Esp: 00264ef0, Exception Code: e0000002, msxml6.dll+e22e7 msxml6.dll+bf131 msxml6.dll+674cf msxml6.dll+6a113 msxml6.dll+680bb mso.dll+25d04e m
2018-08-22 10:18:59,897 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: msxml6.dll+8e249 74e1c41f, Fault Address: 058eee38, Esp: 002646f8, Exception Code: e0000002, msxml6.dll+e22e7 msxml6.dll+bf131 msxml6.dll+674cf msxml6.dll+6a113 msxml6.dll+680bb mso.dll+25e6b3 w
2018-08-22 10:18:59,897 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: msxml6.dll+8e249 74e1c41f, Fault Address: 058eee38, Esp: 002646f8, Exception Code: e0000002, msxml6.dll+e22e7 msxml6.dll+bf131 msxml6.dll+674cf msxml6.dll+6a113 msxml6.dll+680bb mso.dll+25e6b3 w
2018-08-22 10:19:00,224 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\profapi (0xb000 bytes).
2018-08-22 10:19:01,066 [root] DEBUG: DLL loaded at 0x76A10000: C:\Windows\SysWOW64\urlmon (0x14a000 bytes).
2018-08-22 10:19:01,098 [root] DEBUG: DLL loaded at 0x769F0000: C:\Windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2018-08-22 10:19:01,098 [root] DEBUG: DLL loaded at 0x77320000: C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes).
2018-08-22 10:19:01,098 [root] DEBUG: DLL loaded at 0x752A0000: C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes).
2018-08-22 10:19:01,098 [root] DEBUG: DLL loaded at 0x769E0000: C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes).
2018-08-22 10:19:01,098 [root] DEBUG: DLL loaded at 0x74D30000: C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes).
2018-08-22 10:19:01,098 [root] DEBUG: DLL loaded at 0x750C0000: C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes).
2018-08-22 10:19:01,098 [root] DEBUG: DLL loaded at 0x769D0000: C:\Windows\syswow64\normaliz (0x3000 bytes).
2018-08-22 10:19:01,098 [root] DEBUG: DLL loaded at 0x76D10000: C:\Windows\syswow64\iertutil (0x232000 bytes).
2018-08-22 10:19:01,176 [root] DEBUG: DLL loaded at 0x74E60000: C:\Windows\syswow64\WININET (0x1e4000 bytes).
2018-08-22 10:19:01,176 [root] DEBUG: DLL loaded at 0x75360000: C:\Windows\syswow64\USERENV (0x17000 bytes).
2018-08-22 10:19:01,410 [root] DEBUG: DLL loaded at 0x6AD50000: C:\Windows\system32\Secur32 (0x8000 bytes).
2018-08-22 10:19:01,503 [root] DEBUG: DLL loaded at 0x6AD40000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2018-08-22 10:19:01,862 [root] DEBUG: DLL loaded at 0x6AB00000: C:\Program Files (x86)\Microsoft Office\Office14\GKWord (0x239000 bytes).
2018-08-22 10:19:01,910 [root] DEBUG: DLL unloaded from 0x6AB00000.
2018-08-22 10:19:03,125 [root] DEBUG: DLL loaded at 0x6ACA0000: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\USP10 (0x9e000 bytes).
2018-08-22 10:19:04,108 [root] DEBUG: DLL loaded at 0x6AB10000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus (0x190000 bytes).
2018-08-22 10:19:04,125 [root] DEBUG: DLL unloaded from 0x765C0000.
2018-08-22 10:19:06,200 [root] DEBUG: DLL loaded at 0x6AAB0000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2018-08-22 10:19:06,496 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1328
2018-08-22 10:19:06,496 [lib.api.process] INFO: DLL to inject is dll\KbWrLSp.dll
2018-08-22 10:19:06,496 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2018-08-22 10:19:06,496 [lib.api.process] INFO: Option 'debug' with value '2' sent to monitor
2018-08-22 10:19:06,760 [root] DEBUG: Process memory dumps enabled.
2018-08-22 10:19:06,760 [root] INFO: Disabling sleep skipping.
2018-08-22 10:19:07,151 [root] WARNING: Unable to place hook on LockResource
2018-08-22 10:19:07,151 [root] WARNING: Unable to hook LockResource
2018-08-22 10:19:07,338 [root] DEBUG: DLL loaded at 0x6A970000: C:\Windows\system32\SXS (0x5f000 bytes).
2018-08-22 10:19:07,634 [root] DEBUG: DLL loaded at 0x6A6E0000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\VBE7 (0x28d000 bytes).
2018-08-22 10:19:07,805 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1328 at 0x000000006A9D0000, image base 0x00000000FF800000, stack from 0x0000000003CF2000-0x0000000003D00000
2018-08-22 10:19:07,805 [root] INFO: Added new process to list with pid: 1328
2018-08-22 10:19:07,805 [root] INFO: Monitor successfully loaded in process with pid 1328.
2018-08-22 10:19:08,523 [root] DEBUG: DLL loaded at 0x65300000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\1033\VBE7INTL (0x26000 bytes).
2018-08-22 10:19:09,974 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2436
2018-08-22 10:19:09,974 [lib.api.process] INFO: DLL to inject is dll\WqFmdc.dll
2018-08-22 10:19:09,974 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-08-22 10:19:09,990 [lib.api.process] INFO: Option 'debug' with value '2' sent to monitor
2018-08-22 10:19:09,990 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2436
2018-08-22 10:19:10,006 [root] DEBUG: Process memory dumps enabled.
2018-08-22 10:19:10,006 [root] INFO: Disabling sleep skipping.
2018-08-22 10:19:10,006 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2436 at 0x73fe0000, image base 0x4ab20000, stack from 0x333000-0x430000
2018-08-22 10:19:10,006 [root] INFO: Added new process to list with pid: 2436
2018-08-22 10:19:10,006 [root] INFO: Monitor successfully loaded in process with pid 2436.
2018-08-22 10:19:10,177 [root] DEBUG: DLL loaded at 0x74740000: C:\Windows\system32\apphelp (0x4c000 bytes).
2018-08-22 10:19:10,209 [root] INFO: Announced 32-bit process name: powershell.exe pid: 1280
2018-08-22 10:19:10,209 [lib.api.process] INFO: DLL to inject is dll\WqFmdc.dll
2018-08-22 10:19:10,209 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-08-22 10:19:10,209 [lib.api.process] INFO: Option 'debug' with value '2' sent to monitor
2018-08-22 10:19:10,223 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1280
2018-08-22 10:19:10,365 [root] DEBUG: Process memory dumps enabled.
2018-08-22 10:19:10,365 [root] INFO: Disabling sleep skipping.
2018-08-22 10:19:10,365 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1280 at 0x73fe0000, image base 0x260000, stack from 0x346000-0x350000
2018-08-22 10:19:10,365 [root] INFO: Added new process to list with pid: 1280
2018-08-22 10:19:10,365 [root] INFO: Monitor successfully loaded in process with pid 1280.
2018-08-22 10:19:10,365 [root] DEBUG: DLL loaded at 0x6B040000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7d000 bytes).
2018-08-22 10:19:10,365 [root] DEBUG: DLL unloaded from 0x76790000.
2018-08-22 10:19:10,380 [root] DEBUG: DLL loaded at 0x743B0000: C:\Windows\system32\VERSION (0x9000 bytes).
2018-08-22 10:19:10,380 [root] DEBUG: DLL loaded at 0x69FF0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x6ee000 bytes).
2018-08-22 10:19:10,380 [root] DEBUG: DLL loaded at 0x69EF0000: C:\Windows\system32\MSVCR120_CLR0400 (0xf5000 bytes).
2018-08-22 10:19:10,457 [root] DEBUG: DLL loaded at 0x68B60000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni (0x138f000 bytes).
2018-08-22 10:19:11,549 [root] DEBUG: DLL loaded at 0x68150000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\e071297bb06faa961bef045ae5f25fdc\System.ni (0xa10000 bytes).
2018-08-22 10:19:11,596 [root] DEBUG: DLL loaded at 0x67010000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\21a1606b6c00f9abe7db55c02e0f87c9\System.Core.ni (0x7e0000 bytes).
2018-08-22 10:19:11,596 [root] DEBUG: DLL loaded at 0x680C0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\9e67cb880d5d392fc8150f224927c58e\Microsoft.PowerShell.ConsoleHost.ni (0x8a000 bytes).
2018-08-22 10:19:11,596 [root] DEBUG: DLL loaded at 0x749F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2018-08-22 10:19:11,612 [root] DEBUG: DLL loaded at 0x749B0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2018-08-22 10:19:11,956 [root] DEBUG: DLL loaded at 0x65620000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\8dac87092f3a9a3d5bf150028d2d2ddc\System.Management.Automation.ni (0x19e4000 bytes).
2018-08-22 10:19:12,128 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 0034da94, Esp: 0034d9dc, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+1034f6 clr.dll+ebcc mscorlib.ni.dll+40
2018-08-22 10:19:12,128 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 0034da94, Esp: 0034d9dc, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+1034f6 clr.dll+ebcc mscorlib.ni.dll+40
2018-08-22 10:19:12,283 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 0034dc6c, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+34f868 clr.dll+ebcc mscorlib.ni.dll+406414 mscorlib.ni.dll+3c33c6
2018-08-22 10:19:12,283 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 0034dc6c, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+34f868 clr.dll+ebcc mscorlib.ni.dll+406414 mscorlib.ni.dll+3c33c6
2018-08-22 10:19:12,829 [root] DEBUG: DLL loaded at 0x680A0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x13000 bytes).
2018-08-22 10:19:13,048 [root] DEBUG: DLL unloaded from 0x00260000.
2018-08-22 10:19:13,298 [root] DEBUG: DLL loaded at 0x75510000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2018-08-22 10:19:13,375 [root] DEBUG: DLL loaded at 0x75090000: C:\Windows\syswow64\wintrust (0x2f000 bytes).
2018-08-22 10:19:13,375 [root] DEBUG: DLL loaded at 0x75170000: C:\Windows\syswow64\CRYPT32 (0x121000 bytes).
2018-08-22 10:19:13,375 [root] DEBUG: DLL loaded at 0x75380000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2018-08-22 10:19:13,375 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 05d4ed14, Esp: 05d4ec5c, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+aba5d clr.dll+ab99d clr.dll+aba06 clr.
2018-08-22 10:19:13,375 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 05d4ed14, Esp: 05d4ec5c, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+aba5d clr.dll+ab99d clr.dll+aba06 clr.
2018-08-22 10:19:13,407 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 05d4efbc, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+33de61 clr.dll+ef79 System.Management.Automation.ni.dll+5fb39e Sy
2018-08-22 10:19:13,407 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 05d4efbc, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+33de61 clr.dll+ef79 System.Management.Automation.ni.dll+5fb39e Sy
2018-08-22 10:19:13,437 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 05e6ed0c, Esp: 05e6ec54, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+aba5d clr.dll+ab99d clr.dll+aba06 clr.
2018-08-22 10:19:13,437 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 05e6ed0c, Esp: 05e6ec54, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+aba5d clr.dll+ab99d clr.dll+aba06 clr.
2018-08-22 10:19:13,484 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 05e6efb4, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+33de61 clr.dll+ef79 System.Management.Automation.ni.dll+e8f934 Sy
2018-08-22 10:19:13,500 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 05e6efb4, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+33de61 clr.dll+ef79 System.Management.Automation.ni.dll+e8f934 Sy
2018-08-22 10:19:13,500 [root] DEBUG: DLL loaded at 0x68090000: C:\Windows\system32\MSISIP (0x8000 bytes).
2018-08-22 10:19:13,516 [root] DEBUG: DLL unloaded from 0x753B0000.
2018-08-22 10:19:13,516 [root] DEBUG: DLL loaded at 0x68070000: C:\Windows\SysWOW64\wshext (0x16000 bytes).
2018-08-22 10:19:13,516 [root] DEBUG: DLL loaded at 0x73F50000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2018-08-22 10:19:13,516 [root] DEBUG: DLL loaded at 0x68060000: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip (0xa000 bytes).
2018-08-22 10:19:14,390 [root] DEBUG: DLL loaded at 0x64E30000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1288d7e030bc0c5d8b2cbe5f33aeed7f\System.Data.ni (0x7e4000 bytes).
2018-08-22 10:19:14,483 [root] DEBUG: DLL loaded at 0x67D10000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data (0x350000 bytes).
2018-08-22 10:19:14,624 [root] DEBUG: DLL loaded at 0x75050000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2018-08-22 10:19:14,624 [root] DEBUG: DLL loaded at 0x76BC0000: C:\Windows\syswow64\NSI (0x6000 bytes).
2018-08-22 10:19:14,858 [root] INFO: Announced 32-bit process name: pid: 1
2018-08-22 10:19:14,858 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2018-08-22 10:19:14,936 [root] DEBUG: DLL unloaded from 0x69FF0000.
2018-08-22 10:19:15,216 [root] DEBUG: DLL loaded at 0x646F0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\7c8f75f367134a030cba4a127dc62a2f\System.Xml.ni (0x73e000 bytes).
2018-08-22 10:19:15,263 [root] DEBUG: DLL loaded at 0x67BE0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\e588691224a17737f3a164cc2d46c156\System.Management.ni (0x123000 bytes).
2018-08-22 10:19:15,325 [root] DEBUG: DLL loaded at 0x67AB0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\6587db30c0be7c0a01732fbff2d30c8b\System.DirectoryServices.ni (0x122000 bytes).
2018-08-22 10:19:15,434 [root] INFO: Announced 32-bit process name: pid: 1
2018-08-22 10:19:15,434 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2018-08-22 10:19:15,496 [root] INFO: Announced 32-bit process name: pid: 1
2018-08-22 10:19:15,513 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2018-08-22 10:19:15,605 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,605 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,605 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,605 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,605 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,605 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,605 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,605 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,605 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,605 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,605 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,605 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,605 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,605 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,621 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,621 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,621 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,621 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,621 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,621 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,621 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,621 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,621 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,621 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdc30, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,621 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06ace050, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,621 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06ace050, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,621 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06ace050, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,621 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06ace050, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,638 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,653 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,653 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,653 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,653 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,653 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,653 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,653 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acd9fc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,653 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acde1c, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,653 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acde1c, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,653 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acde1c, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,653 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acde1c, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,653 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acde34, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,653 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acde34, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,668 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acde1c, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,668 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acde1c, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,668 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acde34, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,668 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acde34, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,668 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdbfc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,668 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acdbfc, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,700 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acde1c, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,700 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acde1c, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,762 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,762 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,917 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,934 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,950 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,964 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,964 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,964 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,964 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,964 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,980 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,980 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,980 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,980 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,980 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:15,980 [root] DEBUG: Exception Caught! PID: 1908 EIP: KERNELBASE.dll+c41f SEH: RPCRT4.dll+2383d 74e1c41f, Fault Address: 06b0ef28, Esp: 06acddf4, Exception Code: c004f012, RPCRT4.dll+2374b RPCRT4.dll+42b08 RPCRT4.dll+1801a OSPPC.DLL+33cf OSPPC.DLL+15dba OSPPC.DLL+3b21 OSPP
2018-08-22 10:19:16,012 [root] DEBUG: DLL loaded at 0x67AA0000: C:\Windows\system32\api-ms-win-core-xstate-l2-1-0 (0x3000 bytes).
2018-08-22 10:19:16,012 [root] DEBUG: DLL loaded at 0x67A20000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x80000 bytes).
2018-08-22 10:19:16,042 [root] DEBUG: DLL loaded at 0x64690000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\91efc533c215195cfb4ad0b42b0cb5cd\Microsoft.PowerShell.Security.ni (0x51000 bytes).
2018-08-22 10:19:16,059 [root] DEBUG: DLL loaded at 0x645D0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\baa30f3e0869fa3e8885df044c880bbc\System.Transactions.ni (0xb1000 bytes).
2018-08-22 10:19:16,073 [root] DEBUG: DLL loaded at 0x64580000: C:\Windows\Microsoft.Net\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions (0x4b000 bytes).
2018-08-22 10:19:16,339 [root] DEBUG: DLL loaded at 0x64480000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\cd03f9386e02f56502e01a25ddd7e0a7\System.Configuration.ni (0xfc000 bytes).
2018-08-22 10:19:16,385 [root] DEBUG: DLL loaded at 0x64400000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\8f29595c54199d4fa919ad2e5205c4a7\Microsoft.Management.Infrastructure.ni (0x7b000 bytes).
2018-08-22 10:19:16,385 [root] DEBUG: DLL loaded at 0x643B0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\5ac17cc5b92efda83e2925857f4fa655\System.Numerics.ni (0x45000 bytes).
2018-08-22 10:19:16,510 [root] DEBUG: DLL loaded at 0x6AD50000: C:\Windows\system32\secur32 (0x8000 bytes).
2018-08-22 10:19:16,838 [root] DEBUG: DLL loaded at 0x64280000: C:\Windows\system32\WindowsCodecs (0x130000 bytes).
2018-08-22 10:19:17,259 [root] DEBUG: DLL loaded at 0x640F0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\7f0531cbaadefd63fb9c1f7ae51fc668\Microsoft.CSharp.ni (0x18b000 bytes).
2018-08-22 10:19:17,525 [modules.auxiliary.human] INFO: Closing Office window.
2018-08-22 10:19:17,977 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2018-08-22 10:19:17,977 [root] DEBUG: DLL unloaded from 0x00260000.
2018-08-22 10:19:17,993 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 0776eb24, Esp: 0776ea6c, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+aba5d clr.dll+ab99d clr.dll+aba06 clr.
2018-08-22 10:19:17,993 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 0776eb24, Esp: 0776ea6c, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+aba5d clr.dll+ab99d clr.dll+aba06 clr.
2018-08-22 10:19:17,993 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 0776edc4, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+33de61 clr.dll+ef79 System.Management.Automation.ni.dll+e8f934 Sy
2018-08-22 10:19:17,993 [root] DEBUG: Exception Caught! PID: 1280 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 0776edc4, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+33de61 clr.dll+ef79 System.Management.Automation.ni.dll+e8f934 Sy
2018-08-22 10:19:18,039 [root] DEBUG: DLL unloaded from 0x6A6E0000.
2018-08-22 10:19:18,742 [root] DEBUG: DLL unloaded from 0x76C80000.
2018-08-22 10:19:18,742 [root] DEBUG: DLL unloaded from 0x6A6E0000.
2018-08-22 10:19:18,742 [root] DEBUG: DLL unloaded from 0x65300000.
2018-08-22 10:19:18,851 [root] DEBUG: DLL loaded at 0x6A940000: C:\Windows\system32\POWRPROF (0x25000 bytes).
2018-08-22 10:19:18,851 [root] DEBUG: DLL unloaded from 0x6A940000.
2018-08-22 10:19:18,881 [root] DEBUG: DLL unloaded from 0x76C80000.
2018-08-22 10:19:18,881 [root] DEBUG: DLL unloaded from 0x753B0000.
2018-08-22 10:19:18,881 [root] DEBUG: DLL unloaded from 0x73970000.
2018-08-22 10:19:18,881 [root] DEBUG: DLL unloaded from 0x6B040000.
2018-08-22 10:19:18,914 [root] DEBUG: DLL unloaded from 0x6F9B0000.
2018-08-22 10:19:18,960 [root] DEBUG: DLL unloaded from 0x2F4C0000.
2018-08-22 10:19:18,976 [root] DEBUG: DLL unloaded from 0x6B020000.
2018-08-22 10:19:18,976 [root] DEBUG: DLL unloaded from 0x765C0000.
2018-08-22 10:19:19,053 [root] DEBUG: DLL unloaded from 0x75510000.
2018-08-22 10:19:19,053 [root] DEBUG: DLL unloaded from 0x743B0000.
2018-08-22 10:19:19,053 [root] DEBUG: DLL unloaded from 0x6F860000.
2018-08-22 10:19:19,131 [root] DEBUG: DLL unloaded from 0x6AFC0000.
2018-08-22 10:19:19,131 [root] DEBUG: DLL unloaded from 0x765C0000.
2018-08-22 10:19:19,131 [root] DEBUG: DLL unloaded from 0x735D0000.
2018-08-22 10:19:19,148 [root] DEBUG: DLL unloaded from 0x76390000.
2018-08-22 10:19:19,148 [root] DEBUG: DLL unloaded from 0x6B020000.
2018-08-22 10:19:19,194 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1908
2018-08-22 10:19:19,194 [root] DEBUG: GetHookCallerBase: thread 672 (handle 0x0), return address 0x2F4C1602, allocation base 0x2F4C0000.
2018-08-22 10:19:19,194 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x2F4C0000.
2018-08-22 10:19:19,194 [root] DEBUG: DumpProcess: Module entry point VA is 0x000010EC.
2018-08-22 10:19:19,397 [root] INFO: Added new CAPE file to list with path: C:\sypwnptsfq\CAPE\1908_48629374848412122382018
2018-08-22 10:19:19,397 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x159c00.
2018-08-22 10:19:19,397 [root] WARNING: File at path "C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{017521AE-D8F4-4065-AD6C-161B43AF813C}.tmp" does not exist, skip.
2018-08-22 10:19:19,413 [root] DEBUG: DLL unloaded from 0x74D40000.
2018-08-22 10:19:19,413 [root] DEBUG: DLL unloaded from 0x6AEC0000.
2018-08-22 10:19:19,474 [root] DEBUG: DLL unloaded from 0x765C0000.
2018-08-22 10:19:19,474 [root] DEBUG: DLL unloaded from 0x750D0000.
2018-08-22 10:19:19,474 [root] DEBUG: DLL unloaded from 0x74790000.
2018-08-22 10:19:19,474 [root] INFO: Notified of termination of process with pid 1908.
2018-08-22 10:19:20,036 [root] INFO: Process with pid 1908 has terminated
2018-08-22 10:19:38,007 [root] DEBUG: DLL unloaded from 0x753B0000.
2018-08-22 10:19:43,562 [root] DEBUG: DLL unloaded from 0x68090000.
2018-08-22 10:19:43,576 [root] DEBUG: DLL unloaded from 0x68070000.
2018-08-22 10:19:43,608 [root] DEBUG: DLL unloaded from 0x68060000.
2018-08-22 10:19:43,624 [root] DEBUG: DLL unloaded from 0x75170000.
2018-08-22 10:20:18,099 [root] DEBUG: DLL unloaded from 0x000007FEFE2D0000.
2018-08-22 10:23:10,059 [root] DEBUG: DLL unloaded from 0x000007FEF9440000.
2018-08-22 10:23:10,089 [root] DEBUG: DLL unloaded from 0x000007FEF59D0000.
2018-08-22 10:23:37,999 [root] DEBUG: DLL unloaded from 0x000007FEFE2D0000.
2018-08-22 10:23:55,845 [root] INFO: Analysis timeout hit, terminating analysis.
2018-08-22 10:23:55,845 [root] INFO: Created shutdown mutex.
2018-08-22 10:23:56,858 [root] INFO: Shutting down package.
2018-08-22 10:23:56,858 [root] INFO: Stopping auxiliary modules.
2018-08-22 10:23:56,875 [root] DEBUG: Terminate Event: Attempting to dump process 1328
2018-08-22 10:23:56,875 [root] DEBUG: GetHookCallerBase: thread 2832 (handle 0x0), return address 0x00000000060BFB48, allocation base 0x0000000006040000.
2018-08-22 10:23:56,875 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF800000.
2018-08-22 10:23:56,875 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000002B790.
2018-08-22 10:23:57,155 [root] INFO: Added new CAPE file to list with path: C:\sypwnptsfq\CAPE\1328_173621701456231422382018
2018-08-22 10:23:57,155 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2bd200.
2018-08-22 10:24:02,381 [root] DEBUG: Terminate Event: Attempting to dump process 2436
2018-08-22 10:24:02,381 [root] DEBUG: GetHookCallerBase: thread 1092 (handle 0x0), return address 0x74E214D0, allocation base 0x74E10000.
2018-08-22 10:24:02,397 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x4AB20000.
2018-08-22 10:24:02,397 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000829A.
2018-08-22 10:24:02,427 [root] INFO: Added new CAPE file to list with path: C:\sypwnptsfq\CAPE\2436_4066034932442122382018
2018-08-22 10:24:02,460 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x49e00.
2018-08-22 10:24:07,934 [root] DEBUG: Terminate Event: Attempting to dump process 1280
2018-08-22 10:24:07,950 [root] DEBUG: GetHookCallerBase: thread 2500 (handle 0x0), return address 0x74E214D0, allocation base 0x74E10000.
2018-08-22 10:24:07,982 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00260000.
2018-08-22 10:24:07,982 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000D330.
2018-08-22 10:24:07,982 [root] INFO: Added new CAPE file to list with path: C:\sypwnptsfq\CAPE\1280_12425250767241422382018
2018-08-22 10:24:07,997 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x68a00.
2018-08-22 10:24:13,426 [root] INFO: Terminating remaining processes before shutdown.
2018-08-22 10:24:13,441 [lib.api.process] INFO: Successfully terminated process with pid 1328.
2018-08-22 10:24:13,441 [lib.api.process] INFO: Successfully terminated process with pid 2436.
2018-08-22 10:24:13,441 [lib.api.process] INFO: Successfully terminated process with pid 1280.
2018-08-22 10:24:13,441 [root] INFO: Finishing auxiliary modules.
2018-08-22 10:24:13,441 [root] INFO: Shutting down pipe server and dumping dropped files.
2018-08-22 10:24:13,457 [root] INFO: Analysis completed.
from cape.
kevoreilly
commented on July 19, 2024
Just tried this sample on win7x64 and the powershell.exe process seems to run fine...
from cape.
enzok
commented on July 19, 2024
i've tried on 2 win7x64 VMs. 1 with just SP2 and the other with latest patches. I have the latest powershell on each (v5.1)
from cape.
kevoreilly
commented on July 19, 2024
Interesting... Try putting dll=cuckoomon.dll in options, just to see how it fares with the latest spender monitor.
from cape.
enzok
commented on July 19, 2024
could this be an issue with the vc++ redistributable version?
from cape.
kevoreilly
commented on July 19, 2024
Who knows?! Did you try the other monitor?
from cape.
enzok
commented on July 19, 2024
I will after this mind melting meeting I'm in currently.
from cape.
kevoreilly
commented on July 19, 2024
Heh you need a crafty portal to stay in touch with the malwarez ;-)
from cape.
enzok
commented on July 19, 2024
dll=cuckoomon.dll option worked. is there a way to debug capemon futher?
from cape.
kevoreilly
commented on July 19, 2024
Yes of course but it can be tricky - those exceptions earlier unfortunately didn't give an address within capemon to allow for easy debugging. Can you compile a version yourself? If all else fails disabling a bunch of hooks and iterating through builds can be the long road to finding the bug,.,
from cape.
kevoreilly
commented on July 19, 2024
Another idea is to look at the API logs - how far did the process get before it crashed and what was the last call, stuff like that. Maybe contrast with the working log from cuckoomon.
from cape.
enzok
commented on July 19, 2024
i can compile. Any issues with vs2017?
from cape.
kevoreilly
commented on July 19, 2024
No should be fine - there is even a pull request by @redsand for VS2017 (ctxis/capemon#2) which I am trying to prepare for by setting up VS2017 in my dev VMs but it's taking me a while as I haven't got enough space for both 2015 and 2017... Anyway, you should still be able to check out this pull request, let me know how it goes.
from cape.
enzok
commented on July 19, 2024
Is there anything in this log that gives you more info?
2018-08-22 14:06:47,687 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 0027e104, Esp: 0027e04c, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+1034f6 clr.dll+ebcc mscorlib.ni.dll+406414 mscorlib.ni.dll+3c33c6 mscorlib.ni.dll+390483 clr.dll+11d50 clr.dll+fe2bf clr.dll+a2661 clr.dll+fe39a clr.dll+fe44f clr.dll+fe660 clr.dll+fe6c0 mscorlib.ni.dll+3d4c30 mscorlib.ni.dll+3d6afd System.Management.Automation.ni.dll+10303c0 Microsoft.PowerShell.ConsoleHost.ni.dll+15791 clr.dll+eaf6 clr.dll+11d50 clr.dll+203db clr.dll+204b5 mscorlib.ni.dll+3efb31 mscorlib.ni.dll+3ef666 clr.dll+eaf6 clr.dll+11d50 clr.dll+17764 clr.dll+5ebd4 clr.dll+5e142 clr.dll+5e483 clr.dll+5e616 clr.dll+5e6c9 clr.dll+5e7ab powershell.exe+828b powershell.exe+9c8d powershell.exe+d26f kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:47,688 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 0027e104, Esp: 0027e04c, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+1034f6 clr.dll+ebcc mscorlib.ni.dll+406414 mscorlib.ni.dll+3c33c6 mscorlib.ni.dll+390483 clr.dll+11d50 clr.dll+fe2bf clr.dll+a2661 clr.dll+fe39a clr.dll+fe44f clr.dll+fe660 clr.dll+fe6c0 mscorlib.ni.dll+3d4c30 mscorlib.ni.dll+3d6afd System.Management.Automation.ni.dll+10303c0 Microsoft.PowerShell.ConsoleHost.ni.dll+15791 clr.dll+eaf6 clr.dll+11d50 clr.dll+203db clr.dll+204b5 mscorlib.ni.dll+3efb31 mscorlib.ni.dll+3ef666 clr.dll+eaf6 clr.dll+11d50 clr.dll+17764 clr.dll+5ebd4 clr.dll+5e142 clr.dll+5e483 clr.dll+5e616 clr.dll+5e6c9 clr.dll+5e7ab powershell.exe+828b powershell.exe+9c8d powershell.exe+d26f kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:47,988 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 0027e2dc, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+34f868 clr.dll+ebcc mscorlib.ni.dll+406414 mscorlib.ni.dll+3c33c6 mscorlib.ni.dll+390483 clr.dll+11d50 clr.dll+fe2bf clr.dll+a2661 clr.dll+fe39a clr.dll+fe44f clr.dll+fe660 clr.dll+fe6c0 mscorlib.ni.dll+3d4c30 mscorlib.ni.dll+3d6afd System.Management.Automation.ni.dll+10303c0 Microsoft.PowerShell.ConsoleHost.ni.dll+15791 clr.dll+eaf6 clr.dll+11d50 clr.dll+203db clr.dll+204b5 mscorlib.ni.dll+3efb31 mscorlib.ni.dll+3ef666 clr.dll+eaf6 clr.dll+11d50 clr.dll+17764 clr.dll+5ebd4 clr.dll+5e142 clr.dll+5e483 clr.dll+5e616 clr.dll+5e6c9 clr.dll+5e7ab powershell.exe+828b powershell.exe+9c8d powershell.exe+d26f kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:47,988 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 0027e2dc, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+34f868 clr.dll+ebcc mscorlib.ni.dll+406414 mscorlib.ni.dll+3c33c6 mscorlib.ni.dll+390483 clr.dll+11d50 clr.dll+fe2bf clr.dll+a2661 clr.dll+fe39a clr.dll+fe44f clr.dll+fe660 clr.dll+fe6c0 mscorlib.ni.dll+3d4c30 mscorlib.ni.dll+3d6afd System.Management.Automation.ni.dll+10303c0 Microsoft.PowerShell.ConsoleHost.ni.dll+15791 clr.dll+eaf6 clr.dll+11d50 clr.dll+203db clr.dll+204b5 mscorlib.ni.dll+3efb31 mscorlib.ni.dll+3ef666 clr.dll+eaf6 clr.dll+11d50 clr.dll+17764 clr.dll+5ebd4 clr.dll+5e142 clr.dll+5e483 clr.dll+5e616 clr.dll+5e6c9 clr.dll+5e7ab powershell.exe+828b powershell.exe+9c8d powershell.exe+d26f kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:50,093 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 05def30c, Esp: 05def254, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+aba5d clr.dll+ab99d clr.dll+aba06 clr.dll+a314b clr.dll+ef79 System.Management.Automation.ni.dll+e8f934 System.Management.Automation.ni.dll+10304c3 mscorlib.ni.dll+3d5b28 mscorlib.ni.dll+3d56d0 mscorlib.ni.dll+3d5afa mscorlib.ni.dll+3f2836 mscorlib.ni.dll+3d5978 mscorlib.ni.dll+3d5882 mscorlib.ni.dll+3d57cc mscorlib.ni.dll+39c9da clr.dll+11d50 clr.dll+17764 clr.dll+14f883 clr.dll+14e269 clr.dll+14e2d3 clr.dll+14e3a0 clr.dll+14e40f clr.dll+14f811 clr.dll+14e66b clr.dll+962d1 kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:50,094 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 05def30c, Esp: 05def254, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+aba5d clr.dll+ab99d clr.dll+aba06 clr.dll+a314b clr.dll+ef79 System.Management.Automation.ni.dll+e8f934 System.Management.Automation.ni.dll+10304c3 mscorlib.ni.dll+3d5b28 mscorlib.ni.dll+3d56d0 mscorlib.ni.dll+3d5afa mscorlib.ni.dll+3f2836 mscorlib.ni.dll+3d5978 mscorlib.ni.dll+3d5882 mscorlib.ni.dll+3d57cc mscorlib.ni.dll+39c9da clr.dll+11d50 clr.dll+17764 clr.dll+14f883 clr.dll+14e269 clr.dll+14e2d3 clr.dll+14e3a0 clr.dll+14e40f clr.dll+14f811 clr.dll+14e66b clr.dll+962d1 kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:50,195 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 05def5b4, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+33de61 clr.dll+ef79 System.Management.Automation.ni.dll+e8f934 System.Management.Automation.ni.dll+10304c3 mscorlib.ni.dll+3d5b28 mscorlib.ni.dll+3d56d0 mscorlib.ni.dll+3d5afa mscorlib.ni.dll+3f2836 mscorlib.ni.dll+3d5978 mscorlib.ni.dll+3d5882 mscorlib.ni.dll+3d57cc mscorlib.ni.dll+39c9da clr.dll+11d50 clr.dll+17764 clr.dll+14f883 clr.dll+14e269 clr.dll+14e2d3 clr.dll+14e3a0 clr.dll+14e40f clr.dll+14f811 clr.dll+14e66b clr.dll+962d1 kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:50,206 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 05def5b4, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+33de61 clr.dll+ef79 System.Management.Automation.ni.dll+e8f934 System.Management.Automation.ni.dll+10304c3 mscorlib.ni.dll+3d5b28 mscorlib.ni.dll+3d56d0 mscorlib.ni.dll+3d5afa mscorlib.ni.dll+3f2836 mscorlib.ni.dll+3d5978 mscorlib.ni.dll+3d5882 mscorlib.ni.dll+3d57cc mscorlib.ni.dll+39c9da clr.dll+11d50 clr.dll+17764 clr.dll+14f883 clr.dll+14e269 clr.dll+14e2d3 clr.dll+14e3a0 clr.dll+14e40f clr.dll+14f811 clr.dll+14e66b clr.dll+962d1 kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:50,811 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 05b1eca4, Esp: 05b1ebec, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+aba5d clr.dll+ab99d clr.dll+aba06 clr.dll+a314b clr.dll+ef79 System.Management.Automation.ni.dll+5fb39e System.Management.Automation.ni.dll+5fb272 System.Management.Automation.ni.dll+f07cd0 System.Management.Automation.ni.dll+10304b0 mscorlib.ni.dll+3d5b28 mscorlib.ni.dll+3d56d0 mscorlib.ni.dll+3d5afa mscorlib.ni.dll+3f2836 mscorlib.ni.dll+3d5978 mscorlib.ni.dll+3d5882 mscorlib.ni.dll+3d57cc mscorlib.ni.dll+39c9da clr.dll+11d50 clr.dll+17764 clr.dll+14f883 clr.dll+14e269 clr.dll+14e2d3 clr.dll+14e3a0 clr.dll+14e40f clr.dll+14f811 clr.dll+14e66b clr.dll+962d1 kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:50,811 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 05b1eca4, Esp: 05b1ebec, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+aba5d clr.dll+ab99d clr.dll+aba06 clr.dll+a314b clr.dll+ef79 System.Management.Automation.ni.dll+5fb39e System.Management.Automation.ni.dll+5fb272 System.Management.Automation.ni.dll+f07cd0 System.Management.Automation.ni.dll+10304b0 mscorlib.ni.dll+3d5b28 mscorlib.ni.dll+3d56d0 mscorlib.ni.dll+3d5afa mscorlib.ni.dll+3f2836 mscorlib.ni.dll+3d5978 mscorlib.ni.dll+3d5882 mscorlib.ni.dll+3d57cc mscorlib.ni.dll+39c9da clr.dll+11d50 clr.dll+17764 clr.dll+14f883 clr.dll+14e269 clr.dll+14e2d3 clr.dll+14e3a0 clr.dll+14e40f clr.dll+14f811 clr.dll+14e66b clr.dll+962d1 kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:50,824 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 05b1ef4c, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+33de61 clr.dll+ef79 System.Management.Automation.ni.dll+5fb39e System.Management.Automation.ni.dll+5fb272 System.Management.Automation.ni.dll+f07cd0 System.Management.Automation.ni.dll+10304b0 mscorlib.ni.dll+3d5b28 mscorlib.ni.dll+3d56d0 mscorlib.ni.dll+3d5afa mscorlib.ni.dll+3f2836 mscorlib.ni.dll+3d5978 mscorlib.ni.dll+3d5882 mscorlib.ni.dll+3d57cc mscorlib.ni.dll+39c9da clr.dll+11d50 clr.dll+17764 clr.dll+14f883 clr.dll+14e269 clr.dll+14e2d3 clr.dll+14e3a0 clr.dll+14e40f clr.dll+14f811 clr.dll+14e66b clr.dll+962d1 kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:50,826 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 05b1ef4c, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+33de61 clr.dll+ef79 System.Management.Automation.ni.dll+5fb39e System.Management.Automation.ni.dll+5fb272 System.Management.Automation.ni.dll+f07cd0 System.Management.Automation.ni.dll+10304b0 mscorlib.ni.dll+3d5b28 mscorlib.ni.dll+3d56d0 mscorlib.ni.dll+3d5afa mscorlib.ni.dll+3f2836 mscorlib.ni.dll+3d5978 mscorlib.ni.dll+3d5882 mscorlib.ni.dll+3d57cc mscorlib.ni.dll+39c9da clr.dll+11d50 clr.dll+17764 clr.dll+14f883 clr.dll+14e269 clr.dll+14e2d3 clr.dll+14e3a0 clr.dll+14e40f clr.dll+14f811 clr.dll+14e66b clr.dll+962d1 kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:55,919 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 0786ebc4, Esp: 0786eb0c, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+aba5d clr.dll+ab99d clr.dll+aba06 clr.dll+a314b clr.dll+ef79 System.Management.Automation.ni.dll+e8f934 System.Management.Automation.ni.dll+5fda36 System.Management.Automation.ni.dll+5fd907 System.Management.Automation.ni.dll+dec585 System.Management.Automation.ni.dll+5831cf System.Management.Automation.ni.dll+582ece System.Management.Automation.ni.dll+582e42 System.Management.Automation.ni.dll+582215 System.Management.Automation.ni.dll+581d2e System.Management.Automation.ni.dll+581253 System.Management.Automation.ni.dll+580bef System.Management.Automation.ni.dll+4f4f0d mscorlib.ni.dll+3c608d mscorlib.ni.dll+3f2925 mscorlib.ni.dll+3f2836 mscorlib.ni.dll+3f27f1 mscorlib.ni.dll+3c5fe8 clr.dll+eaf6 clr.dll+11d50 clr.dll+17764 clr.dll+94d2d clr.dll+14e269 clr.dll+14e2d3 clr.dll+14e3a0 clr.dll+14e40f clr.dll+94be2 clr.dll+962d1 kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:55,920 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+57ff8c 74e1c41f, Fault Address: 0786ebc4, Esp: 0786eb0c, Exception Code: e06d7363, MSVCR120_CLR0400.dll+8fb90 clr.dll+2d9cba clr.dll+34f722 clr.dll+aba5d clr.dll+ab99d clr.dll+aba06 clr.dll+a314b clr.dll+ef79 System.Management.Automation.ni.dll+e8f934 System.Management.Automation.ni.dll+5fda36 System.Management.Automation.ni.dll+5fd907 System.Management.Automation.ni.dll+dec585 System.Management.Automation.ni.dll+5831cf System.Management.Automation.ni.dll+582ece System.Management.Automation.ni.dll+582e42 System.Management.Automation.ni.dll+582215 System.Management.Automation.ni.dll+581d2e System.Management.Automation.ni.dll+581253 System.Management.Automation.ni.dll+580bef System.Management.Automation.ni.dll+4f4f0d mscorlib.ni.dll+3c608d mscorlib.ni.dll+3f2925 mscorlib.ni.dll+3f2836 mscorlib.ni.dll+3f27f1 mscorlib.ni.dll+3c5fe8 clr.dll+eaf6 clr.dll+11d50 clr.dll+17764 clr.dll+94d2d clr.dll+14e269 clr.dll+14e2d3 clr.dll+14e3a0 clr.dll+14e40f clr.dll+94be2 clr.dll+962d1 kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:55,927 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 0786ee64, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+33de61 clr.dll+ef79 System.Management.Automation.ni.dll+e8f934 System.Management.Automation.ni.dll+5fda36 System.Management.Automation.ni.dll+5fd907 System.Management.Automation.ni.dll+dec585 System.Management.Automation.ni.dll+5831cf System.Management.Automation.ni.dll+582ece System.Management.Automation.ni.dll+582e42 System.Management.Automation.ni.dll+582215 System.Management.Automation.ni.dll+581d2e System.Management.Automation.ni.dll+581253 System.Management.Automation.ni.dll+580bef System.Management.Automation.ni.dll+4f4f0d mscorlib.ni.dll+3c608d mscorlib.ni.dll+3f2925 mscorlib.ni.dll+3f2836 mscorlib.ni.dll+3f27f1 mscorlib.ni.dll+3c5fe8 clr.dll+eaf6 clr.dll+11d50 clr.dll+17764 clr.dll+94d2d clr.dll+14e269 clr.dll+14e2d3 clr.dll+14e3a0 clr.dll+14e40f clr.dll+94be2 clr.dll+962d1 kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
2018-08-22 14:06:55,928 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 988 EIP: KERNELBASE.dll+c41f SEH: clr.dll+151ac0 74e1c41f, Fault Address: 00000000, Esp: 0786ee64, Exception Code: e0434352, clr.dll+155383 clr.dll+2d75ab clr.dll+33de61 clr.dll+ef79 System.Management.Automation.ni.dll+e8f934 System.Management.Automation.ni.dll+5fda36 System.Management.Automation.ni.dll+5fd907 System.Management.Automation.ni.dll+dec585 System.Management.Automation.ni.dll+5831cf System.Management.Automation.ni.dll+582ece System.Management.Automation.ni.dll+582e42 System.Management.Automation.ni.dll+582215 System.Management.Automation.ni.dll+581d2e System.Management.Automation.ni.dll+581253 System.Management.Automation.ni.dll+580bef System.Management.Automation.ni.dll+4f4f0d mscorlib.ni.dll+3c608d mscorlib.ni.dll+3f2925 mscorlib.ni.dll+3f2836 mscorlib.ni.dll+3f27f1 mscorlib.ni.dll+3c5fe8 clr.dll+eaf6 clr.dll+11d50 clr.dll+17764 clr.dll+94d2d clr.dll+14e269 clr.dll+14e2d3 clr.dll+14e3a0 clr.dll+14e40f clr.dll+94be2 clr.dll+962d1 kernel32.dll+133aa ntdll.dll+39f72 ntdll.dll+39f45 Bytes at EIP: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
from cape.
kevoreilly
commented on July 19, 2024
We can tell from this that the powershell process makes a call from the .net clr into a function in kernelbase.dll - the bytes at EIP are the 'leave' and 'ret' instructions of a function epilog in kernelbase. To find which function this is we'd need to disassemble that specific version of kernelbase.dll and find out what is at RVA 0xc41f, but looking at kernelbase functions, many contain a call to check the stack cookie in the epilog so it could well be an exception raised by a bad stack cookie. As to why I don't know, perhaps some interaction by a hook with an exception handler? It would definitely be useful to look at the sequence of API calls towards the crash which is presumably the end of the process too. The last call in the log, as well as the subsequent call from the log of the working run.
from cape.
kevoreilly
commented on July 19, 2024
If you can give me a copy of the kernelbase I will dig further.
from cape.
enzok
commented on July 19, 2024
This is where things go badly
capemon
This thread is created and immediately after the program begins stopping process
CreateThread | ThreadId: 1980 StartRoutine: 0x69f2a110 Parameter: 0x0786e21c CreationFlags: 0x00010000 | success | 0x000002f4
cuckoomon.dll
This thread starts and then begins running new code.
CreateThread | ThreadId: 2496 StartRoutine: 0x6a0fa110 Parameter: 0x0782e2cc CreationFlags: 0x00010000 | success | 0x00000310
from cape.
enzok
commented on July 19, 2024
DllBase: 0x69f10000
NotificationReason: load
DllName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
from cape.
kevoreilly
commented on July 19, 2024
Aha now that's why I added those log statements to capture dll image bases! So the thread start address is at 0x1a110 in clr.dll. It would be interesting to disassemble that and look there too. What's the first logged call of the new thread in the working run?
from cape.
kevoreilly
commented on July 19, 2024
The return address clr.dll+155383 is also worth looking at.
from cape.
kevoreilly
commented on July 19, 2024
Or I could try installing the same versions of .net and powershell...
from cape.
enzok
commented on July 19, 2024
2018-08-22 13:23:49,956 | 2496 | 0x000000000x00000000 | LdrGetDllHandle | ModuleHandle: 0x765c0000 FileName: KERNEL32.DLL | success | 0x00000000 | 2 times
2018-08-22 13:23:49,956 | 2496 | 0x000000000x00000000 | NtDuplicateObject | TargetHandle: 0x000003f4 TargetProcessHandle: 0xffffffff Options: DUPLICATE_SAME_ACCESS SourceHandle: 0xfffffffe SourceProcessHandle: 0xffffffff | success | 0x00000000 |
2018-08-22 13:23:49,956 | 2496 | 0x000000000x00000000 | NtClose | Handle: 0x00000000 | failed | INVALID_HANDLE |
2018-08-22 13:23:49,956 | 2496 | 0x000000000x00000000 | GetSystemInfo | | success | 0x00000000 |
2018-08-22 13:23:49,956 | 2496 | 0x000000000x00000000 | NtAllocateVirtualMemory | StackPivoted: no Protection: PAGE_READWRITE|PAGE_GUARD ProcessHandle: 0xffffffff RegionSize: 0x00002000 BaseAddress: 0x0796d000 | success | 0x00000000
from cape.
enzok
commented on July 19, 2024
LdrGetdllHandle
from cape.
enzok
commented on July 19, 2024
.net 4.7.2 - I upgraded over 4.5 and 4.6
PS 5.1
from cape.
kevoreilly
commented on July 19, 2024
Cool will install those and give it a test.
from cape.
enzok
commented on July 19, 2024
clr.dll will be version 4.7.2633.0
from cape.
kevoreilly
commented on July 19, 2024
Ok great - thanks for digging into this further. I guess we'll leave the Acrobat issue on ice for now.
from cape.
Related Issues (20)
- Alembic not updating db properly HOT 5
- Error when installing from requirements.txt HOT 4
- VPN not selectable in Web Interface HOT 36
- x64 DLL Extraction module doesn't work HOT 1
- Which commit was capemon.dll compiled from HOT 4
- Small bug on web UI submission template HOT 1
- File not detected as being in VT HOT 2
- Injection vs Extraction HOT 4
- Agent.py HOT 3
- KeyError: (<weakref at 0x7fbf4a8f5d68; to 'function' at 0x7fbf43b9dd90 (go)>,) HOT 4
- Permission for Scraping https://www.capesandbox.com/analysis/ HOT 2
- [Feature Request] Add support for Unfurl HOT 1
- Invalid URL under C2Server HOT 1
- Memory Dump on proxmox HOT 1
- Samples not analyzed on Linux guest (Ubuntu 18.04 32-bits) HOT 2
- The PCAP file does not exist
- Result Server Binding error HOT 1
- Cape Sandbox linux analysis
- Linux Analysis of Cape Sandbox
- Getting zero mal score in linux analysis
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cape.