Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 12, 2021, 6:21 p.m.	June 12, 2021, 6:23 p.m.

Size	5.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7164c297181394bbccb68090346d1742`
SHA256	`531511e95f85e5fd8614c28ddfd4fd487086ebd3f656b6214419876ff1ad3be4`
CRC32	`61727B00`
ssdeep	`98304:pAI+fK9oO80oajzM5cGJbTIiDOPNUB+BZcSj9PdkQmW5sMxIRgbe9aVsSnX:ityocoSzMfJbTIiDOVcYtdklWPeIeQVN`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

Setup.exe "C:\Users\test22\AppData\Local\Temp\Setup.exe"
4564
- hjjgaa.exe "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
  7144
  - jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
    7664
  - jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
    3460
- RunWW.exe "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
  3872
- guihuali-game.exe "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
  4636
  - rundll32.exe "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\test22\AppData\Local\Temp\install.dll",install
    4608
- lylal220.exe "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
  8992
  - lylal220.tmp "C:\Users\test22\AppData\Local\Temp\is-6R8JP.tmp\lylal220.tmp" /SL5="$72024E,491750,408064,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
    6152
    - 56FT____________________.exe "C:\Users\test22\AppData\Local\Temp\is-55P3Q.tmp\56FT____________________.exe" /S /UID=lylal220
      6912
      - irecord.exe "C:\Program Files\HashTab Shell Extension\EJCJHZGFIU\irecord.exe" /VERYSILENT
        8116
        
        irecord.tmp "C:\Users\test22\AppData\Local\Temp\is-RTHQU.tmp\irecord.tmp" /SL5="$7901AE,6139911,56832,C:\Program Files\HashTab Shell Extension\EJCJHZGFIU\irecord.exe" /VERYSILENT
        500
        
        i-record.exe "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
        8812
      - Jelawelolo.exe "C:\Users\test22\AppData\Local\Temp\6a-d7f9e-6a0-12888-4e49c084e80d5\Jelawelolo.exe"
        3044
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        7284
      - Majalefaehu.exe "C:\Users\test22\AppData\Local\Temp\c5-2bfc7-8c8-99ebe-e58c1b8e3ef15\Majalefaehu.exe"
        7904
- LabPicV3.exe "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
  7072
  - LabPicV3.tmp "C:\Users\test22\AppData\Local\Temp\is-M1GNJ.tmp\LabPicV3.tmp" /SL5="$5603FE,506086,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
    8104
    - _____________.exe "C:\Users\test22\AppData\Local\Temp\is-GMNUJ.tmp\_____________.exe" /S /UID=lab214
      4964
      - prolab.exe "C:\Program Files\MSBuild\YZNUZKAESP\prolab.exe" /VERYSILENT
        3788
        
        prolab.tmp "C:\Users\test22\AppData\Local\Temp\is-BC9K1.tmp\prolab.tmp" /SL5="$5D0218,575243,216576,C:\Program Files\MSBuild\YZNUZKAESP\prolab.exe" /VERYSILENT
        884
      - Bynikaqahy.exe "C:\Users\test22\AppData\Local\Temp\ab-30604-9bc-d29ad-578b95c248612\Bynikaqahy.exe"
        1568
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        4308
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:4308 CREDAT:145409
        1436
      - Juzhokasysu.exe "C:\Users\test22\AppData\Local\Temp\0a-4bda9-e30-2afa3-2c2539260bc3e\Juzhokasysu.exe"
        6372
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
cor-tips.com	A 198.54.116.159	198.54.116.159
iplogger.org	A 88.99.66.31	88.99.66.31
email.yg9.me		198.13.62.186
www.profitabletrustednetwork.com	A 192.243.59.20 A 192.243.59.12 A 192.243.59.13	192.243.59.12
iw.gamegame.info	A 104.21.21.221 A 172.67.200.215	104.21.21.221
ol.gamegame.info	A 104.21.21.221 A 172.67.200.215	172.67.200.215
www.google.com	A 172.217.31.132	216.58.197.196
connectini.net	A 162.0.210.44	162.0.210.44
uyg5wye.2ihsfa.com	A 88.218.92.148	88.218.92.148
google.com	A 216.58.220.110	216.58.197.238
www.facebook.com	A 157.240.215.35 CNAME star-mini.c10r.facebook.com	157.240.215.35
email.yg9.me	A 198.13.62.186	198.13.62.186
geruntur.com	A 172.67.153.74 A 104.21.80.190	172.67.153.74
ip-api.com	A 208.95.112.1	208.95.112.1
reportyuwt4sbackv97qarke3.com	A 162.0.220.187	162.0.220.187

IP Address	Status	Action
104.21.21.221	Active	Moloch
157.240.215.35	Active	Moloch
162.0.210.44	Active	Moloch
162.0.220.187	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.217.31.132	Active	Moloch
172.67.153.74	Active	Moloch
192.243.59.20	Active	Moloch
198.13.62.186	Active	Moloch
198.54.116.159	Active	Moloch
208.95.112.1	Active	Moloch
216.58.220.110	Active	Moloch
88.218.92.148	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49815 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 198.54.116.159:80 -> 192.168.56.102:49819	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49828 -> 157.240.215.35:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:61999 -> 198.13.62.186:53	2014702	ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set	Potential Corporate Privacy Violation
TCP 198.54.116.159:80 -> 192.168.56.102:49820	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49833 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49833 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49837 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49833 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49833 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49833 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49832 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 198.54.116.159:80 -> 192.168.56.102:49836	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 198.54.116.159:80 -> 192.168.56.102:49836	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.102:49848 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 198.54.116.159:80 -> 192.168.56.102:49836	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 198.54.116.159:80 -> 192.168.56.102:49847	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 198.54.116.159:80 -> 192.168.56.102:49847	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.102:49865 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49873 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49876 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49885 -> 192.243.59.20:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49898 -> 172.67.153.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49897 -> 172.67.153.74:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49886 -> 192.243.59.20:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 198.54.116.159:80 -> 192.168.56.102:49836	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.102:49869 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49874 -> 162.0.210.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49887 -> 192.243.59.20:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49828 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com	64:6a:5b:69:8b:12:93:b5:d8:b2:20:d5:3f:4e:74:04:ca:ba:95:5e
TLSv1 192.168.56.102:49837 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.102:49832 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.102:49848 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.102:49865 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.102:49873 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.102:49876 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.102:49885 192.243.59.20:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	72:e9:ae:f3:00:8a:5b:24:cd:04:8c:15:0d:b3:ec:6a:6b:f9:59:d7
TLSv1 192.168.56.102:49898 172.67.153.74:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	e0:21:46:53:67:77:03:77:07:a4:48:0b:fb:11:63:a5:bd:3a:87:4b
TLSv1 192.168.56.102:49897 172.67.153.74:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	e0:21:46:53:67:77:03:77:07:a4:48:0b:fb:11:63:a5:bd:3a:87:4b
TLSv1 192.168.56.102:49886 192.243.59.20:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	72:e9:ae:f3:00:8a:5b:24:cd:04:8c:15:0d:b3:ec:6a:6b:f9:59:d7
TLSv1 192.168.56.102:49869 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1 192.168.56.102:49874 162.0.210.44:443	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com	68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1 192.168.56.102:49887 192.243.59.20:443	C=US, O=Let's Encrypt, CN=R3	CN=profitabletrustednetwork.com	72:e9:ae:f3:00:8a:5b:24:cd:04:8c:15:0d:b3:ec:6a:6b:f9:59:d7

Queries for the computername (17 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 12, 2021, 6:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 12, 2021, 6:22 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (13 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 12, 2021, 6:21 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:21 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:21 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:21 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:21 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:21 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:21 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:22 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:22 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:22 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:22 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:22 p.m.			0	0
IsDebuggerPresent June 12, 2021, 6:22 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (1 event)

Time & API	Arguments	Status	Return	Repeated
CryptExportKey June 12, 2021, 6:22 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x009ab020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 12, 2021, 6:21 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (50 out of 65538 events)

Time & API	Arguments	Status
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1
__exception__ June 12, 2021, 6:21 p.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77419e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75763120 runww+0x84213 @ 0x484213 runww+0x8514b @ 0x48514b runww+0x17f2 @ 0x4017f2 runww+0x169f @ 0x40169f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77419e58 registers.esp: 1631964 registers.edi: 9502720 registers.eax: 4294967288 registers.ebp: 1632008 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 9502720	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (17 events)

suspicious_features	POST method with no referer header	suspicious_request	POST http://iw.gamegame.info/report7.4.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://cor-tips.com/Widgets/Picture-Lab.exe
suspicious_features	POST method with no referer header	suspicious_request	POST http://ol.gamegame.info/report7.4.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://cor-tips.com/After_math_Eminem/publisher/pdE2wzU92JHyzWh4.exe
suspicious_features	POST method with no referer header	suspicious_request	POST http://uyg5wye.2ihsfa.com/api/?sid=352087&key=d8e65b8cd10d25f87c984cac621590bf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://cor-tips.com/Widgets/i-record.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://cor-tips.com/After_math_Eminem/kenpa/n3tVVEsJQycdn6Vk.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://cor-tips.com/After_math_Eminem/KeyHandler/5Nh3dEML5qjDf83H.exe
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://reportyuwt4sbackv97qarke3.com/qhy7yf7uqefsrt4jubgb9wtaftr5j3/f7gdb4w25njs9btvrjx778dspzbppu
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.google.com/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/SuperNitou.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1twXf7
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer4Publisher.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/publisher/1/KR.json
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://connectini.net/Series/Conumer2kenpachi.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
suspicious_features	GET method with no useragent header	suspicious_request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json

Performs some HTTP requests (29 events)

request	GET http://ip-api.com/json/
request	HEAD http://cor-tips.com/After_math_Eminem/AdvertiserInstaller/PicturesLab/PicturesLab.exe
request	GET http://cor-tips.com/After_math_Eminem/AdvertiserInstaller/PicturesLab/PicturesLab.exe
request	HEAD http://cor-tips.com/After_math_Eminem/AdvertiserInstaller/I-Record/I-Record.exe
request	GET http://cor-tips.com/After_math_Eminem/AdvertiserInstaller/I-Record/I-Record.exe
request	GET http://ip-api.com/json/?fields=8198
request	POST http://iw.gamegame.info/report7.4.php
request	GET http://cor-tips.com/Widgets/Picture-Lab.exe
request	POST http://ol.gamegame.info/report7.4.php
request	GET http://cor-tips.com/After_math_Eminem/publisher/pdE2wzU92JHyzWh4.exe
request	GET http://uyg5wye.2ihsfa.com/api/fbtime
request	POST http://uyg5wye.2ihsfa.com/api/?sid=352087&key=d8e65b8cd10d25f87c984cac621590bf
request	GET http://cor-tips.com/Widgets/i-record.exe
request	GET http://cor-tips.com/After_math_Eminem/kenpa/n3tVVEsJQycdn6Vk.exe
request	GET http://cor-tips.com/After_math_Eminem/KeyHandler/5Nh3dEML5qjDf83H.exe
request	POST http://reportyuwt4sbackv97qarke3.com/qhy7yf7uqefsrt4jubgb9wtaftr5j3/f7gdb4w25njs9btvrjx778dspzbppu
request	GET http://www.google.com/
request	GET https://www.facebook.com/
request	POST https://connectini.net/Series/SuperNitou.php
request	GET https://iplogger.org/18hh57
request	GET https://iplogger.org/1twXf7
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	GET https://connectini.net/Series/publisher/1/KR.json
request	POST https://connectini.net/Series/Conumer2kenpachi.php
request	GET https://connectini.net/Series/kenpachi/2/goodchannel/KR.json
request	GET https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
request	GET https://connectini.net/Series/configPoduct/2/goodchannel.json
request	GET https://www.profitabletrustednetwork.com/e2q8zu9hu?shu=a3fd8c97f94682045df68f23d0d7cb483c31b50beafbd7b7c18313af024171672bd5b4321b284b2edd85dbf35f0bd1874d437548da11dedea0f8ed36232ca57e1149cad33c923a12e7b918b983a3dee49a284c&pst=1623489884&rmtc=t&uuid=&pii=true&in=false&key=a971bbe4a40a7216a1a87d8f455f71e6
request	GET https://www.profitabletrustednetwork.com/favicon.ico

Sends data using the HTTP POST Method (7 events)

request	POST http://iw.gamegame.info/report7.4.php
request	POST http://ol.gamegame.info/report7.4.php
request	POST http://uyg5wye.2ihsfa.com/api/?sid=352087&key=d8e65b8cd10d25f87c984cac621590bf
request	POST http://reportyuwt4sbackv97qarke3.com/qhy7yf7uqefsrt4jubgb9wtaftr5j3/f7gdb4w25njs9btvrjx778dspzbppu
request	POST https://connectini.net/Series/SuperNitou.php
request	POST https://connectini.net/Series/Conumer4Publisher.php
request	POST https://connectini.net/Series/Conumer2kenpachi.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 896 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 3872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 401408 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0092d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 8992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 8992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 8992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 372736 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 8992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 7072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 7072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 7072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 385024 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 7072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 8104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 8104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 6152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 6152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e01000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 region_size: 1052672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 region_size: 376832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4608 region_size: 307200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000650000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2361000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25de000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25de000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 6:21 p.m.	process_identifier: 4964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef25e0000 process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW June 12, 2021, 6:21 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13281312768 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 12, 2021, 6:22 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13268721664 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW June 12, 2021, 6:22 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13246210048 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (30 events)

file	C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.exe
file	C:\Users\Public\Desktop\Picture Lab.lnk
file	C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
file	C:\Users\test22\AppData\Local\Temp\is-GMNUJ.tmp\idp.dll
file	C:\Program Files (x86)\Windows Sidebar\Dyxovumuji.exe
file	C:\Users\test22\AppData\Local\Temp\c5-2bfc7-8c8-99ebe-e58c1b8e3ef15\Majalefaehu.exe
file	C:\Users\test22\AppData\Local\Temp\6a-d7f9e-6a0-12888-4e49c084e80d5\Jelawelolo.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\recording.lnk
file	C:\Users\test22\AppData\Local\Temp\0a-4bda9-e30-2afa3-2c2539260bc3e\Juzhokasysu.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
file	C:\Users\test22\AppData\Local\Temp\is-A8KK2.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-GMNUJ.tmp\_____________.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
file	C:\Users\test22\AppData\Local\Temp\ab-30604-9bc-d29ad-578b95c248612\Bynikaqahy.exe
file	C:\Users\test22\AppData\Local\Temp\is-IRUOO.tmp\_isetup\_shfoldr.dll
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picture Lab.lnk
file	C:\Users\test22\AppData\Local\Temp\install.dll
file	C:\Program Files\HashTab Shell Extension\EJCJHZGFIU\irecord.exe
file	C:\Users\Public\Desktop\recording.lnk
file	C:\Users\test22\AppData\Local\Temp\is-55P3Q.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-55P3Q.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-55P3Q.tmp\56FT____________________.exe
file	C:\Program Files (x86)\Windows Defender\SHucaefygiqy.exe
file	C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file	C:\Users\test22\AppData\Local\Temp\is-GMNUJ.tmp\_isetup\_shfoldr.dll
file	C:\Program Files\MSBuild\YZNUZKAESP\prolab.exe
file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe
file	C:\Users\test22\AppData\Local\Temp\adobe_caps.dll

Creates a shortcut to an executable file (17 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\Users\Public\Desktop\recording.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\Public\Desktop\Picture Lab.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\recording.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picture Lab.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Drops a binary and executes it (10 events)

file	C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
file	C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
file	C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file	C:\Program Files\MSBuild\YZNUZKAESP\prolab.exe
file	C:\Users\test22\AppData\Local\Temp\ab-30604-9bc-d29ad-578b95c248612\Bynikaqahy.exe
file	C:\Users\test22\AppData\Local\Temp\0a-4bda9-e30-2afa3-2c2539260bc3e\Juzhokasysu.exe
file	C:\Program Files\HashTab Shell Extension\EJCJHZGFIU\irecord.exe

Drops an executable to the user AppData folder (13 events)

file	C:\Users\test22\AppData\Local\Temp\adobe_caps.dll
file	C:\Users\test22\AppData\Local\Temp\0a-4bda9-e30-2afa3-2c2539260bc3e\Juzhokasysu.exe
file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe
file	C:\Users\test22\AppData\Local\Temp\is-6R8JP.tmp\lylal220.tmp
file	C:\Users\test22\AppData\Local\Temp\is-M1GNJ.tmp\LabPicV3.tmp
file	C:\Users\test22\AppData\Local\Temp\is-GMNUJ.tmp\_____________.exe
file	C:\Users\test22\AppData\Local\Temp\is-BC9K1.tmp\prolab.tmp
file	C:\Users\test22\AppData\Local\Temp\install.dll
file	C:\Users\test22\AppData\Local\Temp\is-A8KK2.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-GMNUJ.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\ab-30604-9bc-d29ad-578b95c248612\Bynikaqahy.exe
file	C:\Users\test22\AppData\Local\Temp\is-RTHQU.tmp\irecord.tmp
file	C:\Users\test22\AppData\Local\Temp\is-55P3Q.tmp\56FT____________________.exe

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 12, 2021, 6:21 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe parameters: filepath: C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe	1	1
ShellExecuteExW June 12, 2021, 6:21 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe parameters: filepath: C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe	1	1
ShellExecuteExW June 12, 2021, 6:21 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe parameters: filepath: C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe	1	1
ShellExecuteExW June 12, 2021, 6:21 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe parameters: filepath: C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe	1	1
ShellExecuteExW June 12, 2021, 6:21 p.m.	show_type: 0 filepath_r: C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe parameters: filepath: C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 events)

Time & API	Arguments	Status	Return
Process32NextW June 12, 2021, 6:21 p.m.	snapshot_handle: 0x00000120 process_name: taskhost.exe process_identifier: 8188	1	1
Process32NextW June 12, 2021, 6:21 p.m.	snapshot_handle: 0x00000120 process_name: cmd.exe process_identifier: 7132	1	1
Process32NextW June 12, 2021, 6:21 p.m.	snapshot_handle: 0x00000120 process_name: conhost.exe process_identifier: 7388	1	1
Process32NextW June 12, 2021, 6:21 p.m.	snapshot_handle: 0x00000120 process_name: pw.exe process_identifier: 4208	1	1
Process32NextW June 12, 2021, 6:21 p.m.	snapshot_handle: 0x00000120 process_name: slui.exe process_identifier: 8052	1	1
Process32NextW June 12, 2021, 6:21 p.m.	snapshot_handle: 0x00000120 process_name: hjjgaa.exe process_identifier: 7144	1	1
Process32NextW June 12, 2021, 6:21 p.m.	snapshot_handle: 0x00000120 process_name: RunWW.exe process_identifier: 3872	1	1
Process32NextW June 12, 2021, 6:21 p.m.	snapshot_handle: 0x00000120 process_name: lylal220.exe process_identifier: 8992	1	1
Process32NextW June 12, 2021, 6:21 p.m.	snapshot_handle: 0x00000120 process_name: LabPicV3.exe process_identifier: 7072	1	1
Process32NextW June 12, 2021, 6:21 p.m.	snapshot_handle: 0x00000120 process_name: LabPicV3.tmp process_identifier: 8104	1	1
Process32NextW June 12, 2021, 6:21 p.m.	snapshot_handle: 0x00000120 process_name: lylal220.tmp process_identifier: 6152	1	1
Process32NextW June 12, 2021, 6:21 p.m.	snapshot_handle: 0x00000120 process_name: rundll32.exe process_identifier: 4608	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 12, 2021, 6:23 p.m.	process_identifier: 1436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x08e50000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 12, 2021, 6:21 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes labpicv3.tmp, lylal220.tmp (4 events)

Time & API	Arguments	Status	Return
InternetReadFile June 12, 2021, 6:21 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELuoÞËà0~ò~ @ À@(S î H.text} ~ `.rsrcî ð@@.reloc p@B`HDZÈBRÔN`({"}{"}{"}( {"}{"}{"}{"}{"}{ "} { "} {"}{"}{ "} {"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{*" request_handle: 0x00cc000c	1	1
InternetReadFile June 12, 2021, 6:21 p.m.	buffer: PrmKey":"iwPTwg1zz24cJPE\/gmZ2QQXtloDYg1EvYZL8XWs5+bU=", "TrackDecrPrmIv":"nYzT0lUc5GclTDkjF2w\/MMvPyZ7zZmOacQM8FVR8i8U=", "tag":"pirlo2_corona_life_Corona-tips_goodchannel" }îMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELKÂ¿ýà" 0är `@O D@àp H.textHã ä `.rsrcD æ@@.reloc@ì@BSHxnq2(ho {þ{þ{þ{þ{þ{þ*{þN(i&{o1 f(i&{o1 o2 (2(ho 2(ho 2(io 2(io *0J(i&s3 {o4 +o5 request_handle: 0x00cc000c	1	1
InternetReadFile June 12, 2021, 6:21 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELe"ãà0~<^ @ @K P9àô H.textd} ~ `.rsrcP9 :@@.relocàº@B@HDZ°BRÔN`({"}{"}{"}( {"}{"}{"}{"}{"}{ "} { "} {"}{"}{ "} {"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{*" request_handle: 0x00cc000c	1	1
InternetReadFile June 12, 2021, 6:21 p.m.	buffer: PrmKey":"iwPTwg1zz24cJPE\/gmZ2QQXtloDYg1EvYZL8XWs5+bU=", "TrackDecrPrmIv":"nYzT0lUc5GclTDkjF2w\/MMvPyZ7zZmOacQM8FVR8i8U=", "tag":"pirlo2_corona_life_Corona-tips_goodchannel" }îMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELKÂ¿ýà" 0är `@O D@àp H.textHã ä `.rsrcD æ@@.reloc@ì@BSHxnq2(ho {þ{þ{þ{þ{þ{þ*{þN(i&{o1 f(i&{o1 o2 (2(ho 2(ho 2(io 2(io *0J(i&s3 {o4 +o5 request_handle: 0x00cc000c	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 12, 2021, 6:21 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0
LookupPrivilegeValueW June 12, 2021, 6:21 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

rundll32.exe

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (8 events)

Time & API	Arguments	Return
RegOpenKeyExA June 12, 2021, 6:22 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1	2
RegOpenKeyExA June 12, 2021, 6:22 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1	2
RegOpenKeyExA June 12, 2021, 6:22 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1	2
RegOpenKeyExA June 12, 2021, 6:22 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{141446C4-F423-40A0-BB37-10245CF8EAB5}_is1	2
RegOpenKeyExA June 12, 2021, 6:22 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{558E1E6C-4A0D-4F49-9F39-071618575B7F}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{558E1E6C-4A0D-4F49-9F39-071618575B7F}_is1	2
RegOpenKeyExA June 12, 2021, 6:22 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{558E1E6C-4A0D-4F49-9F39-071618575B7F}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{558E1E6C-4A0D-4F49-9F39-071618575B7F}_is1	2
RegOpenKeyExA June 12, 2021, 6:22 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{558E1E6C-4A0D-4F49-9F39-071618575B7F}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{558E1E6C-4A0D-4F49-9F39-071618575B7F}_is1	2
RegOpenKeyExA June 12, 2021, 6:22 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{558E1E6C-4A0D-4F49-9F39-071618575B7F}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{558E1E6C-4A0D-4F49-9F39-071618575B7F}_is1	2

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	C:\Program Files (x86)\Internet Explorer\iexplore.exe https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:4308 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Checks for the presence of known windows from debuggers and forensic tools (1 event)

Time & API	Arguments	Status	Return	Repeated
FindWindowA June 12, 2021, 6:21 p.m.	class_name: ConsoleWindowClass window_name:	1	5505850	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover				reg_value	"C:\Program Files (x86)\Windows Sidebar\Dyxovumuji.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover				reg_value	"C:\Program Files (x86)\Windows Defender\SHucaefygiqy.exe"

Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExW June 12, 2021, 6:21 p.m.	key_handle: 0x00000124 regkey_r: 1 reg_type: 3 (REG_BINARY) value: ÁÕx4XÁåH<PÁýPwËoÜØ_µHÅµ¾HÅ¼«HcáA@Å±4^¯fZÅÊC@K°h·?ËjètM=ãK£¹áü÷¶Ãc~¹²$ ?xÃ{aLÇs°Íh$ÏüsEø½ç@tPAÊ]ù¸003ú6)Ã{¸ÍE´H±Æ·¹ÎMÅÉ`tÃ]ÁÍ`dÁÂGÅh»ÿ^ßptÃE&÷3áù¸HÃE¾(Ã×x\|ÃçHD(ÃÿPL ËGôqÃ çÁÕx<Åh,]ÅáHñÉm,Àe-Ã!E`3èâ.DDHîçLLLHÃÛHTÇÙB]ÆÉr}ÈEÏû~I#\|·@NRÆPÉ7¼BÉÌüp:ò2z½ÃÎòÿ)øTK¸ÀL½ThÃÞêúÎRÖ±¼ÃÄº[B!ãË·=ÊhêtªÀ4³pºÊúQiJó±x`AnóÁÏXNÛÅûrEN±½J¶<ÇÓyc¤c1~"yò8zBaj ;»¾ÊÊe©3vJÃÏ¸£@ÊÂUUJËCØJÓrêÞ7µÎ&JÂsëß!¦Aø.@\|2~oNÇH<>Î±~¦$ËÍÏJKP{û´®ÉÌ@p·OÁN±¾I¶?Âû¹y`§eXXJ>==>§"ÍÅ K¸ûòÁ#ÀL¼eIOfïÕBE´kWÅÀL[ß±¿À Æ¹X@#ãÛ·>Ëiët^õ;¡Ñï§±·ÅÀ8/]÷©¿ìOÃI)é1óÃ¸ÔðHÉEÀ_ËoÄÀûí·ËkáAËGìëÁÕx,]ËoÜxÃrrQcõ;Q!ïFáü÷¶ÁÍ`À6#F²$ ?xÃc9,F;ÂÁ ¬LÇkTAFð¾õz4ÇsGRFR¹Á ¤èu`·ÁÍ`lÇckx»3t4ó)¼V¸õZf_>s~²½ f_>r+KtÅ Hsâ«§T½nEt}½<u¶{¸ fãÁz(bÃA²z(vÄHðf_}zaÑàK¸óz8JÁ¹ úBZÉÜPLÈE´VkÄÊE:øÌþ¶JÑËBéarë¬ÔúÏÇr}~ñÅß¢»Ïßjjgá¾5FÒÊI¶µoù´'zó»OqÀAÊJxrCIÊÈGENHC;áÑÂÀÖsiÌÄ¶üËCJ¶ÚáêNLÏZÊkét¾ojn_¾øù@Aù¸00AÊYáú6ÃSÍEÏ_%»ÏÏzjÃ\ÃC¾(vúN¸^"wr8u:Èäh¸rÅÁÊJÚE´VgÎJÖEÀE´aTÊZÒHÅKKÔ¾(vú¯'Bî]WR8t²ÇçHõZf_:wweïK+GèEHKøÂ>sv7°EÏ D}¶;´HÅOÇPgto»NÏÉFEBË¼ý½AÊKËkà@9¤/³UE¾EwÁÇBMJ¸¶¸¹ððAN¸w¦Eâx¹ f]ú´dKÀaðJÇOMHÊBÃOfÿ¡¹vúBÉFLKÓ[NÏÉFEBË½ÖïÇ/¬EÏHÅ¹7EÏÅBHÏå~XKÈÏ{¼Oè§Oð«pmvúÇk¨ÍEÏü¾Êb¤t7z3ÂEÎr±ÃXÂGÍW«\| ¸e9ìOËAÀJKÐ,k°¤EvúÍEÏÄ½´Â+g·:Çv´&äHÆ;{u0\|Ê÷ËEÒEµôÍÇ/¬LÇçHdÏ' EÀE´S¬#¤E´iCðâ¿«ÇOÇH+éB¾ÁÖouvóKôW`Ã@KøºÌýq])(REµhXvóóáÃ@4(äáù¸HÃ@¾+=OZtMÃ×xT8ËGôq:kX°¶§qÍ 666Ûqïpí âÓGúåÐ¥ð"+\|x¤àF cûËN ÊDLZ`` xû @Aåæà!@PNðö ðÀMx805Nv ðíFDÆÌ{z/îççÿçõtL) Æ8åÆS'çÔVÁJLCNÕÁ1àÖ:úÁÖÁ:¾ ÉÇÀúøú:NãíDTÇÏÕÏÝ ÜÇº<ÜÃIÞËÒåÇwÞTRÀTû{¢lÇ\ÃäÿommXËoì(À_Fñ3úÉEvóóáÁ]A\|kÀÀÒÀèê/ #KÅ»Î\|QBòL#Gìè)ÇSÌÎâåííÆ`¥ÏÀ He}ðàçñä!"âæéâ4óàhÁú²l/p>HÃÉ¬¦âáôZNàû8Àòñê àé)ÃB©+Àfïé,ÀÃåê.åÿûCu8(xHáHhÃóô"öÁÌE « À8c+à¨ÅÙp«=»b+´êïséA©®ãZ!:ìÈ¹QÃÆMHsþ%DÛu{I<MYþàiôæèhé®ÎmèDl»jîïG¶ñ=Éô_A/Ùè(ÁéB¨êkyñãçüöÚóN©ác(ýå6ááú¯ê>®ÇNJØE´d°Ì7BÄú4 ³¼E@@(µ,qÌiÈÃ'u <y5¥hêüè\@á_d}vÁÕ\$,@ÁåH4XHýP<PÁõX,(av((hÅïÃ)HÃRDR©ê´%ÈHÕá²ab1ÞKàëPÙÊÅö#HXÁâ;0`8µøU"dï"+À'öÐ+(Cà·ß§»2ÐáIÁÎÿPý<ha©%!Fm+Ë ÌßõÎ'}bwHËmït´ÃdHX,ÇÿPd@HÃ÷XlÁ KÁH`ïD ®!@!`ÇD©¸2 âXE51 !ÇDæbB_ ! '_ÍÅÃ×\$xËGäaTÉ!Ãv¶þQÃñÄ¥ó5Âu\|·"¸!IÃD':ßLAY.æÑiEH<9xß±tQ¦KI Ãë9dPÌ"'!ÈÂyÏê (¿ÀÛ ³~qVù°_¿ó÷óÕÄó«z3@@00ÀÓI5ÿaö;:¡º tNÊñyêó`²Âù~çïü´±ïC³ùü41øÈ0Fj»±,Ä÷PhPÃµËyà¶ÂOç` ½ÖsbFÑBÏéìt¼YGPïêÊ^óE·ê¿FPB+y]\±çv?·Ú+×êê;äQj¨9®MÊà¸ÃaZ£flñÆDµe»¯\|XÌzsôÌÇÈKµ!PutÃ^/cÀÃÇëÈ´~ÕW¬o0ozSm0Èß»êöó<.º¥+hµÊA>$ûÃÅÍ-ÚvÀkGx£Dh)_!¾ÑêWÓEµsMB]ß¤HHD(ÅÉF&DPt`dÁCW1?/v`A6ÈDgoká<G=:I7//h4HÁ ¶Eô[z³À³;ÅÂwâÂÄ¤Ã¬ê§´r6P³µtRò®øÆ¶u[xtÅÒ~AgsPßG)[@öæÈû º ½uÃÌOAI@ÃápSRTÃ[ÃÄ©ÈþUÖôóÄH+4o\|ÉËv³2°QCÄ§êÂKÄ¯êCÛH@}[3ÁÇT@#/Ì<}¶,Q\íáõãE)s÷ç#ÁâO\|³ÙáªÐzØBD~ôKù@/$E h(ÃãJ @3F¾âvÅpPñåS+ÈókH{ê¢#Rg çê ¢²ÔP6òÄïº¡âzi[wû´îççUÍùqr`kÒònTLZrOíAfË+{$HØ ¢)KjÞW8o}µoà¡@ËoÌ2ËÙAÅÁhrÓ~û üôEÏU\|§»ýÃd71F¢é F'-µ W¿Â0ôïìÉ~³4mÊC+JkI¨_Æ»?pE´ùç °Ú¿Ãbføê·¹» LD·!AHþûû¿ÔGû»K7@ÇÜÀâsQÀúCwÆñ³à¥-óÂz¸£c{¼ÇiªÃbi >8¹-MÍzðAAÊkk/rA¶¯ÀÒSEMòkUÈõtÍªìBGù»±¦d8z±.9ÃÎE0\|Ç@Ä¸úe(EÎMÁÍ`øÂ_Å vô÷ñ,÷Æ2³3÷Õýªg"`xòÑÎu`ZÁõáBÈ@#xÿmñ4xD,Ü®Vi4EzB¨ÔL(^N¤¦¢ÚÜÙzÌ(wPò¸~tE"§5ý{n°}ðY¨8!Tÿ[M÷ÀrML7àÍÏ¹êGðóÊ OÁ1+Ã±¶uÿ$#¥îSG{$§Þ¶+ºÀªÉ´6ó*ãÅÌeõÁ½yÏÜWÂZ8çZF$=JÁÅh¼[ÐHÁ"'êÇ YÅí(¸¹A"{BFü¤T´Å²¸;"¶\\By({È:HÐp4K¹6Å5J;æàEwß¥ÃJÌ¨FöL½pLh£CÂ»ðøµæùàU2zù@5q7ó+î´µÅáýÉÏ-aØ@Uv×Æ)O4x<ë¢_eX,lEabFoê regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{LJU50KX1-5I52-VT6Q-WSWM-U2Z9XL21ZV61}\1	1	0	0

Network activity contains more than one unique useragent (2 events)

process	LabPicV3.tmp				useragent	InnoDownloadPlugin/1.5
process	iexplore.exe				useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4308 resumed a thread in remote process 1436
NtResumeThread June 12, 2021, 6:23 p.m.	thread_handle: 0x0000030c suspend_count: 1 process_identifier: 1436	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu

Tries to unhook Windows functions monitored by Cuckoo (1 event)

Time & API	Arguments	Status	Return	Repeated
__anomaly__ June 12, 2021, 6:21 p.m.	tid: 7768 message: Encountered 65537 exceptions, quitting. subcategory: exception function_name:	1	0	0

Zeus P2P (Banking Trojan) (19 events)

mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0002
mutex	Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0001
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
mutex	{08586C4E-62C4-4a4e-8271-C2A20530AF62}_M_S-1-5-21-3832866432-4053218753-3017428901-1001
udp	{u'src': u'198.13.62.186', u'dst': u'192.168.56.102', u'offset': 773265, u'time': 23.078418016433716, u'dport': 54222, u'sport': 53}
udp	{u'src': u'198.13.62.186', u'dst': u'192.168.56.102', u'offset': 1592524, u'time': 12.469194889068604, u'dport': 61999, u'sport': 53}
udp	{u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 10762227, u'time': 3.9280478954315186, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 10770627, u'time': 4.636677980422974, u'dport': 1900, u'sport': 56752}
udp	{u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 10777509, u'time': 4.418129920959473, u'dport': 3702, u'sport': 56754}
udp	{u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 10780365, u'time': 4.796649932861328, u'dport': 3702, u'sport': 56756}
udp	{u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 10783093, u'time': 10.863406896591187, u'dport': 3702, u'sport': 61460}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 10785949, u'time': 80.986741065979, u'dport': 51733, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 10786145, u'time': 71.93163299560547, u'dport': 51983, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 10786371, u'time': 107.09788608551025, u'dport': 52542, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 10786559, u'time': 50.310261964797974, u'dport': 59367, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 10786751, u'time': 118.21966290473938, u'dport': 60430, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 10787015, u'time': 131.770761013031, u'dport': 62836, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 10787223, u'time': 79.074294090271, u'dport': 63667, u'sport': 53}

Generates some ICMP traffic

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Bkav	W32.AIDetect.malware2
DrWeb	Trojan.Inject4.11771
MicroWorld-eScan	Gen:Variant.Midie.88588
CAT-QuickHeal	Trojan.Fabookie
ALYac	Gen:Variant.Midie.88588
Malwarebytes	Spyware.PasswordStealer.SIM
VIPRE	Trojan.Win32.Generic!BT
AegisLab	Trojan.Win32.Fabookie.4!c
Sangfor	Trojan.Win32.Injector.gen
K7AntiVirus	Trojan ( 005723511 )
Alibaba	TrojanDownloader:Win32/Fabookie.10df77e5
K7GW	Trojan ( 005723511 )
CrowdStrike	win/malicious_confidence_80% (W)
Cyren	W32/Kryptik.EGL.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Fabookie-9797757-0
Kaspersky	Trojan.Win32.Fabookie.ug
BitDefender	Gen:Variant.Midie.88588
NANO-Antivirus	Trojan.Win32.Fabookie.ivkpkm
Avast	Win32:Trojan-gen
Ad-Aware	Gen:Variant.Midie.88588
Sophos	Troj/Kryptik-TR
TrendMicro	TROJ_GEN.R002C0DFB21
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
FireEye	Gen:Variant.Midie.88588
Emsisoft	Gen:Variant.Midie.88588 (B)
GData	Gen:Variant.Midie.88588
Avira	HEUR/AGEN.1139112
MAX	malware (ai score=87)
Antiy-AVL	Trojan/Generic.ASMalwS.3308937
Kingsoft	Win32.Hack.Undef.(kcloud)
Arcabit	Trojan.Midie.D15A0C
Microsoft	Trojan:Win32/Azorult.RF!MTB
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4477121
McAfee	Artemis!7164C2971813
VBA32	Trojan.Fabookie
TrendMicro-HouseCall	TROJ_GEN.R002C0DFB21
Ikarus	Trojan-Downloader.Win32.Adload
MaxSecure	Trojan-Ransom.Win32.Crypmod.zfq
Fortinet	W32/Midie.8858!tr
AVG	Win32:Trojan-gen
Cybereason	malicious.db71ce

Setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All