What is AriensPartnerPlusTps.exe?
AriensPartnerPlusTps.exe is part of SetupBuilder and developed by Lindersoft according to the AriensPartnerPlusTps.exe version information.
AriensPartnerPlusTps.exe's description is "SetupBuilder "
AriensPartnerPlusTps.exe is digitally signed by Omega Business Systems.
AriensPartnerPlusTps.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected AriensPartnerPlusTps.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on AriensPartnerPlusTps.exe:
| Property | Value |
|---|---|
| Product name | SetupBuilder |
| Company name | Lindersoft |
| File description | SetupBuilder |
| Legal copyright | Copyright (C) Linder Software |
| Product version | 10, 0, 0, 6 |
| File version | 10, 0, 0, 6 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | SetupBuilder .. |
| Company name | Lindersoft .. |
| File description | SetupBuilder .. |
| Legal copyright | Copyright (C) Linder Software .. |
| Product version | 10, 0, 0, 6 |
| File version | 10, 0, 0, 6 |
Digital signatures [?]
AriensPartnerPlusTps.exe has a valid digital signature.
| Property | Value |
|---|---|
| Signer name | Omega Business Systems |
| Certificate issuer name | COMODO RSA Code Signing CA |
| Certificate serial number | 7cbbf7a5910d67c9a538f59522142ee1 |
VirusTotal report
3 of the 71 anti-virus programs at VirusTotal detected the AriensPartnerPlusTps.exe file. That's a 4% detection rate.
| Scanner | Detection Name |
|---|---|
| Jiangmin | TrojanDropper.Injector.bmui |
| VBA32 | TrojanDropper.Injector |
| Zillya | Dropper.Injector.Win32.85423 |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"c:\\dms\\ARPrice.TPS",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57CA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57ED.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57BA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57FE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57B9.tmp",
"c:\\dms\\ARPriSubs.TPS",
"c:\\dms\\Uninst_Your Price File Update.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EB.tmp",
"C:\\Windows\\SysWOW64\\sb6-e-m-i-l-y.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57CA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57B9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57BA.tmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\d72cd7d0-c283-11e9-4823-01944fd80029",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"c:\\dms",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local"
],
"dll_loaded": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57CA.tmp",
"SETUPAPI.dll",
"IMM32.dll",
"UXTHEME",
"C:\\Windows\\syswow64\\MSCTF.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57BA.tmp",
"RICHED32.DLL",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"kernel32.dll",
"UxTheme.dll",
"OLEAUT32.DLL",
"C:\\Windows\\system32\\ole32.dll",
"comctl32",
"dwmapi.dll",
"rpcrt4.dll",
"ole32.dll",
"C:\\Windows\\system32\\uxtheme.dll",
"user32.dll",
"comctl32.dll"
],
"file_opened": [
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57ED.tmp",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EC.tmp",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57FE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57B9.tmp",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EB.tmp",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\28558d9f49fc1dbfe232cfdce7b9865eaf6b527a359d086a47d829f656ac9e1b.bin",
"C:\\Users\\cuck"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\UpgradeCodes\\0E7C02B88785FD11D3C610B115D0A41E",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\28558d9f49fc1dbfe232cfdce7b9865eaf6b527a359d086a47d829f656ac9e1b.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}"
],
"file_written": [
"c:\\dms\\ARPrice.TPS",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57CA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57ED.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57BA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57FE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57B9.tmp",
"c:\\dms\\ARPriSubs.TPS",
"c:\\dms\\Uninst_Your Price File Update.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EB.tmp"
],
"file_deleted": [
"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57CA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57ED.tmp",
" ",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57BA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57FE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57B9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EB.tmp",
"C:\\Windows\\SysWOW64\\sb6-e-m-i-l-y.tmp"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\d72cd7d0-c283-11e9-4823-01944fd80029",
"c:\\dms\\BACKUP"
],
"file_exists": [
"c:\\dms\\ARPrice.TPS",
"C:\\Windows\\SysWOW64",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\wupdate.ini",
"c:\\dms",
"c:\\dms\\ARPriSubs.TPS",
"c:\\dms\\Uninst_Your Price File Update.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"file_failed": [
"c:\\dms",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\d72cd7d0-c283-11e9-4823-01944fd80029"
],
"file_read": [
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\28558d9f49fc1dbfe232cfdce7b9865eaf6b527a359d086a47d829f656ac9e1b.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EC.tmp",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57FE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57B9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57ED.tmp"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOwner",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOrganization",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\d72cd7d0-c283-11e9-4823-01944fd80029\\*.*"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\DisplayVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\Contact",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\VersionMinor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\Comments",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Installer\\UpgradeCodes\\0E7C02B88785FD11D3C610B115D0A41E\\0E7C02B88785FD11764810B115D081EB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\HelpLink",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\HelpTelephone",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\NoRemove",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\Publisher",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\InstallLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\ProductVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\InstallDate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\URLInfoAbout",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\NoModify",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\VersionMajor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\UninstallString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\NoRepair"
]
}Dropped
[
{
"yara": [],
"sha1": "1555186efc9b6726a8582b41fe73a028b079dcba",
"name": "cb48442caeb61460_LSB57B9.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57B9.tmp",
"type": "MS Compress archive data",
"sha256": "cb48442caeb61460dd408626a4ae7b611e08028b68353d59148d2a962842e46c",
"urls": [],
"crc32": "0DDAA03E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1889\/files\/cb48442caeb61460_LSB57B9.tmp",
"ssdeep": null,
"size": 9387,
"sha512": "0db93c9415624247672ccfdf6d8516aa631f19d536e6cf18560b4e8aebe7e94cf6161a8e53d578dca640dcbfd688f69b2d294f062a0b4d67a2fc86d58fa29856",
"pids": [
2456
],
"md5": "394ce2031798e16e657391a889e553b7"
},
{
"yara": [],
"sha1": "ad7d04ed6a2372c1289d180fb32ed026ebe741d7",
"name": "576659fed85f4ee8_arprice.tps",
"filepath": "C:\\dms\\ARPrice.TPS",
"type": "data",
"sha256": "576659fed85f4ee83138d783238914ade797960c611b64e2674b808abc9353b4",
"urls": [],
"crc32": "BFB03014",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1889\/files\/576659fed85f4ee8_arprice.tps",
"ssdeep": null,
"size": 5707264,
"sha512": "59bfe569e8e0149f3ce51ec022d36cc419d89e13e39b517c568043eac44db9f2576628ca68af473f2df0dc7ccf6c72006bd6069dd79ea2b326c790d822090479",
"pids": [
2456
],
"md5": "fb640ed829f7c4ba556da1acc492ff06"
},
{
"yara": [],
"sha1": "47f000f824a67d0c9649d5507d80610bdf0463b6",
"name": "c3cade4acb03e058_~SB57EC.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EC.tmp",
"type": "PC bitmap, Windows 3.x format, 122 x 277 x 4",
"sha256": "c3cade4acb03e0583d2ba42992a1b34f10f78b9c0c2a3cbda07aaa69d433be35",
"urls": [],
"crc32": "4AC1CC14",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1889\/files\/c3cade4acb03e058_~SB57EC.tmp",
"ssdeep": null,
"size": 17846,
"sha512": "a86c9f7812dc778fd9da252ba01bd8729cf8c11d332991bea1759253a9025caf34f17f97690f2dd9136c5f9f76adb29b3e216a1d30b8d63160ddfb93de0d93fd",
"pids": [
2456
],
"md5": "ba074e8fdd3e94eeb47550f3a8b03a86"
},
{
"yara": [],
"sha1": "695a6c7d36f65b2a7cdee3ce5b84c58aac09f223",
"name": "3e09b9aea4affe13_~SB57FE.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57FE.tmp",
"type": "data",
"sha256": "3e09b9aea4affe136ea20d8fe9309f2dd8b6d7d07ad060d9cb1058404c2bacc0",
"urls": [],
"crc32": "2B6492CB",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1889\/files\/3e09b9aea4affe13_~SB57FE.tmp",
"ssdeep": null,
"size": 5173,
"sha512": "9314e9ef26a2c19c73b545bf1309354288a09f15614132e0190e0e4c18b0de0db4c17747fe490a2baf52173e907d6670e6af5396b39de833bbc1e8690574405b",
"pids": [
2456
],
"md5": "0f972833a13c14962149760c35def300"
},
{
"yara": [],
"sha1": "43a9685291ced57987dfab670032d363c3972cc2",
"name": "b9a26fe3fdec294f_~SB57ED.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57ED.tmp",
"type": "PC bitmap, Windows 3.x format, 55 x 55 x 8",
"sha256": "b9a26fe3fdec294fdb9194959dfe0de0c9adef7561f790f13c665cd338e79cc7",
"urls": [],
"crc32": "EEED78D2",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1889\/files\/b9a26fe3fdec294f_~SB57ED.tmp",
"ssdeep": null,
"size": 4158,
"sha512": "22afa96267341463f8e8c5b67a96227084b3dec24b88e71653cc46d5a3fe8da17220e5029f286c082df34b7c67db76cfa674001e37c39e8a1d439bb599e127f9",
"pids": [
2456
],
"md5": "a69ed4a9bd1945f86871708750827c90"
},
{
"yara": [],
"sha1": "118c51a98a76e436452f16283a6919319e836543",
"name": "d2b631d612bb69b1_~SB57EE.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EE.tmp",
"type": "ASCII text, with CRLF line terminators",
"sha256": "d2b631d612bb69b1cba58487d3d4489a26fa3105f58df8cb16fc5c23e5e97fd1",
"urls": [],
"crc32": "53483043",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1889\/files\/d2b631d612bb69b1_~SB57EE.tmp",
"ssdeep": null,
"size": 4691,
"sha512": "0ae22c6dc5a2707c4e5eef6278bdaa1bbcd10bc4cbcd5221006b860fdd275c927b4ebaba940161bdf5d3182c38fde681a8fdcae187db83da24ca0c0dd9b6fa53",
"pids": [
2456
],
"md5": "764bd350449b58484471894677a49b78"
},
{
"yara": [],
"sha1": "cd68ac77b480589e385c208ddb9e2cd053986344",
"name": "357120b8d25e0d3f_uninst_your price file update.log",
"filepath": "C:\\dms\\Uninst_Your Price File Update.log",
"type": "ASCII text, with very long lines, with CRLF line terminators",
"sha256": "357120b8d25e0d3fb37491a67ca6f3db49dfda99334d05ce886897c26a15f6cb",
"urls": [],
"crc32": "F7779FE6",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1889\/files\/357120b8d25e0d3f_uninst_your price file update.log",
"ssdeep": null,
"size": 3936,
"sha512": "1bb81c79ff395fb427b7c5c8f8e463d6c855267cac88d276dc312c3c3e7debfa54f7c4023da0723ec030efabb243524b9acf061e2e6f06c3dd7efaa22c5a03d2",
"pids": [
2456
],
"md5": "23accf6f3badd86c86ac73012b68ef6a"
},
{
"yara": [],
"sha1": "7b0117503d8c68ca52873fca272d01faa8012144",
"name": "ede10d2190a13825_arprisubs.tps",
"filepath": "C:\\dms\\ARPriSubs.TPS",
"type": "data",
"sha256": "ede10d2190a13825763d242dd8f6dc07ce3caa85b30827857a1361ca148664fe",
"urls": [],
"crc32": "F0CCD4E6",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1889\/files\/ede10d2190a13825_arprisubs.tps",
"ssdeep": null,
"size": 621312,
"sha512": "10099e118d758c79ef7e3a5e17c7bc7d91a44d8638c8cfc185eebdc81c1187110c79a0e00b9eeb11fd08b997b8a2be73029138280b4fdf89da613c5271e008b8",
"pids": [
2456
],
"md5": "50fa775ff362b70184f6b83f8ee3b295"
},
{
"yara": [],
"sha1": "1d67b30642c0d0e647d70f7da1c2b3e2332cdb8a",
"name": "6c7c730bd5e644ea_LSB57BA.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57BA.tmp",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "6c7c730bd5e644ea2e7d04cee4f74d996ec64fd3b670fab918ae399b1ac5d723",
"urls": [],
"crc32": "06EEFFFA",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1889\/files\/6c7c730bd5e644ea_LSB57BA.tmp",
"ssdeep": null,
"size": 15360,
"sha512": "e226496d309ad7f896b62da7726ddbab579cea18739565538dda02eee6deff86c87da956558f92de4e31708322745d3dec0270523b43f1afbc93a7d4880d965f",
"pids": [
2456
],
"md5": "9d5c845fec1983e26a1ab4f19b6f8a10"
},
{
"yara": [
{
"meta": {
"description": "Contains an embedded PE32 file",
"author": "nex"
},
"name": "embedded_pe",
"offsets": {
"b": [
[
2770,
0
],
[
11663,
0
],
[
12204,
0
]
]
},
"strings": [
"VGhpcyBwcm9ncmFt"
]
}
],
"sha1": "c12be2a24cad647cc56a61f36feb106aa289ffa3",
"name": "3e9a204c933184c7_~SB57EB.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EB.tmp",
"type": "data",
"sha256": "3e9a204c933184c7ab695ea694d8b9d52c97572c58fb79db932c4deff6e1f653",
"urls": [],
"crc32": "EAEEDB6F",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1889\/files\/3e9a204c933184c7_~SB57EB.tmp",
"ssdeep": null,
"size": 24196,
"sha512": "28869c3f3a6a32c203e433be4d73fc98bd1156f2199fb72f2118c8521b5510dcc8d0ea69d1071eb1bd053e8b002dad45f8db821a2b4565772588e1010705bd4b",
"pids": [
2456
],
"md5": "3ed6b991267cfb75cf07d74a216cca69"
},
{
"yara": [],
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"name": "e3b0c44298fc1c14_LSB57CA.tmp",
"type": "empty",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"urls": [],
"crc32": "00000000",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1889\/files\/e3b0c44298fc1c14_LSB57CA.tmp",
"ssdeep": null,
"size": 0,
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"yara": [
{
"meta": {
"description": "Possibly employs anti-virtualization techniques",
"author": "nex"
},
"name": "vmdetect",
"offsets": {
"virtualpc": [
[
213599,
0
]
]
},
"strings": [
"Dz8HCw=="
]
}
],
"sha1": "132308af84613af2a29e149149acf314c6db7fff",
"name": "e70fc84f62ae8454_LSB57CA.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57CA.tmp",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "e70fc84f62ae84548f6b29302ddc2ca2e2bdd9d1de0898914600233a7d37e7a6",
"urls": [],
"crc32": "93BFAB5E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1889\/files\/e70fc84f62ae8454_LSB57CA.tmp",
"ssdeep": null,
"size": 315392,
"sha512": "843d8cc1cdc714dc005f7c415357570c76de8622eceb89f3974e0b37b97d3d6b97fe7f16ef77f41004ca3a10830a749a38c10c364ce2d28f2f28e6aa8b387fb3",
"pids": [
2456
],
"md5": "d72d3ac19ff78967638a27992ec91a18"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\28558d9f49fc1dbfe232cfdce7b9865eaf6b527a359d086a47d829f656ac9e1b.bin",
"process_name": "28558d9f49fc1dbfe232cfdce7b9865eaf6b527a359d086a47d829f656ac9e1b.bin",
"pid": 2456,
"summary": {
"file_created": [
"c:\\dms\\ARPrice.TPS",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57CA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57ED.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57BA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57FE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57B9.tmp",
"c:\\dms\\ARPriSubs.TPS",
"c:\\dms\\Uninst_Your Price File Update.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EB.tmp",
"C:\\Windows\\SysWOW64\\sb6-e-m-i-l-y.tmp"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57CA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57B9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57BA.tmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\d72cd7d0-c283-11e9-4823-01944fd80029",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"c:\\dms",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local"
],
"dll_loaded": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57CA.tmp",
"SETUPAPI.dll",
"IMM32.dll",
"UXTHEME",
"C:\\Windows\\syswow64\\MSCTF.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57BA.tmp",
"RICHED32.DLL",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"kernel32.dll",
"UxTheme.dll",
"OLEAUT32.DLL",
"C:\\Windows\\system32\\ole32.dll",
"comctl32",
"dwmapi.dll",
"rpcrt4.dll",
"ole32.dll",
"C:\\Windows\\system32\\uxtheme.dll",
"user32.dll",
"comctl32.dll"
],
"file_opened": [
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57ED.tmp",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EC.tmp",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57FE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57B9.tmp",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EB.tmp",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\28558d9f49fc1dbfe232cfdce7b9865eaf6b527a359d086a47d829f656ac9e1b.bin",
"C:\\Users\\cuck"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\UpgradeCodes\\0E7C02B88785FD11D3C610B115D0A41E",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\28558d9f49fc1dbfe232cfdce7b9865eaf6b527a359d086a47d829f656ac9e1b.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}"
],
"file_written": [
"c:\\dms\\ARPrice.TPS",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57CA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57ED.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57BA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57FE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57B9.tmp",
"c:\\dms\\ARPriSubs.TPS",
"c:\\dms\\Uninst_Your Price File Update.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EB.tmp"
],
"file_deleted": [
"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57CA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57ED.tmp",
" ",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EC.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57BA.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57FE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57B9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EB.tmp",
"C:\\Windows\\SysWOW64\\sb6-e-m-i-l-y.tmp"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\d72cd7d0-c283-11e9-4823-01944fd80029",
"c:\\dms\\BACKUP"
],
"file_exists": [
"c:\\dms\\ARPrice.TPS",
"C:\\Windows\\SysWOW64",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\wupdate.ini",
"c:\\dms",
"c:\\dms\\ARPriSubs.TPS",
"c:\\dms\\Uninst_Your Price File Update.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"file_failed": [
"c:\\dms",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\d72cd7d0-c283-11e9-4823-01944fd80029"
],
"file_read": [
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\28558d9f49fc1dbfe232cfdce7b9865eaf6b527a359d086a47d829f656ac9e1b.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EC.tmp",
"C:\\Users\\cuck\\Documents\\desktop.ini",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57FE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EE.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57B9.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57EB.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~SB57ED.tmp"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOwner",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOrganization",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\d72cd7d0-c283-11e9-4823-01944fd80029\\*.*"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\DisplayVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\Contact",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\VersionMinor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\Comments",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Installer\\UpgradeCodes\\0E7C02B88785FD11D3C610B115D0A41E\\0E7C02B88785FD11764810B115D081EB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\HelpLink",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\HelpTelephone",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\NoRemove",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\Publisher",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\InstallLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\ProductVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\InstallDate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\URLInfoAbout",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\NoModify",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\VersionMajor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\UninstallString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8B20C7E0-5878-11DF-6784-011B510D18BE}\\NoRepair"
]
},
"first_seen": 1566208386.6094,
"ppid": 2780
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1566208386.3438,
"ppid": 376
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1566208386.9684,
"tid": 856,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1229
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1566208387.0154,
"tid": 2968,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2137
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 65,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "L\nS\nU\nn\np\na\nc\nk\n+\n0\nx\n2\n8\n2\n \nl\ns\nb\n5\n7\nb\na\n+\n0\nx\n2\n6\n1\n2\n \n@\n \n0\nx\n1\n0\n0\n0\n2\n6\n1\n2\n\n\n2\n8\n5\n5\n8\nd\n9\nf\n4\n9\nf\nc\n1\nd\nb\nf\ne\n2\n3\n2\nc\nf\nd\nc\ne\n7\nb\n9\n8\n6\n5\ne\na\nf\n6\nb\n5\n2\n7\na\n3\n5\n9\nd\n0\n8\n6\na\n4\n7\nd\n8\n2\n9\nf\n6\n5\n6\na\nc\n9\ne\n1\nb\n+\n0\nx\n1\na\nb\n8\n \n@\n \n0\nx\n3\nb\n1\na\nb\n8",
"registers": {
"esp": 2948096,
"edi": 0,
"eax": 3875933,
"ebp": 2948144,
"edx": 2130565971,
"ebx": 0,
"esi": 269057408,
"ecx": 269057408
},
"exception": {
"instruction_r": "88 10 40 89 45 e4 41 89 4d e0 ff 4d 10 eb e6 39",
"symbol": "lstrcpyn+0x2d lstrlen-0x53 kernelbase+0xa2dd",
"instruction": "mov byte ptr [eax], dl",
"module": "KERNELBASE.dll",
"exception_code": "0xc0000005",
"offset": 41693,
"address": "0x75dba2dd"
}
},
"time": 1566208386.7654,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 79
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nc\na\n5\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n7\n3\nb\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n7\n3\nb\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\n2\nf\n0\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n1\nd\n8\n6\n \n@\n \n0\nx\n1\n0\n0\n2\n1\nd\n8\n6\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\nd\n7\nc\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n0\n8\n1\n2\n \n@\n \n0\nx\n1\n0\n0\n2\n0\n8\n1\n2",
"registers": {
"esp": 2980504,
"edi": 1975271054,
"eax": 2980352,
"ebp": 2980544,
"edx": 0,
"ebx": 268695284,
"esi": 268684128,
"ecx": 34543272
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208386.9844,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1350
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n4\nd\nd\n3\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n4\n8\n6\n9\n \n@\n \n0\nx\n1\n0\n0\n2\n4\n8\n6\n9",
"registers": {
"esp": 2874908,
"edi": 1975271054,
"eax": 2874928,
"ebp": 2874948,
"edx": 0,
"ebx": 268687084,
"esi": 268687084,
"ecx": 34543352
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208386.9994,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1518
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874929,
"ebp": 2874960,
"edx": 0,
"ebx": 270267712,
"esi": 270267712,
"ecx": 34540056
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1657
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874929,
"ebp": 2874960,
"edx": 0,
"ebx": 270267712,
"esi": 270267712,
"ecx": 34540104
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1658
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874947,
"ebp": 2874960,
"edx": 0,
"ebx": 270267712,
"esi": 270267712,
"ecx": 34543320
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1659
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874947,
"ebp": 2874960,
"edx": 0,
"ebx": 270267712,
"esi": 270267712,
"ecx": 34543224
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1660
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874947,
"ebp": 2874960,
"edx": 0,
"ebx": 270267712,
"esi": 270267712,
"ecx": 34542768
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1661
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874947,
"ebp": 2874960,
"edx": 0,
"ebx": 270267712,
"esi": 270267712,
"ecx": 34540144
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1662
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874917,
"ebp": 2874960,
"edx": 0,
"ebx": 270267712,
"esi": 270267712,
"ecx": 34540192
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1663
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874947,
"ebp": 2874960,
"edx": 0,
"ebx": 270267712,
"esi": 270267712,
"ecx": 34542976
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1664
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874947,
"ebp": 2874960,
"edx": 0,
"ebx": 270267712,
"esi": 270267712,
"ecx": 34543056
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1665
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874945,
"ebp": 2874960,
"edx": 0,
"ebx": 270267712,
"esi": 270267712,
"ecx": 34543120
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1666
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874947,
"ebp": 2874960,
"edx": 0,
"ebx": 270267712,
"esi": 270267712,
"ecx": 34540248
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1667
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874880,
"ebp": 2874960,
"edx": 0,
"ebx": 270267712,
"esi": 270267712,
"ecx": 34543288
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1672
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nc\na\n5\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n7\n3\nb\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n7\n3\nb\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874880,
"ebp": 2874960,
"edx": 0,
"ebx": 268695284,
"esi": 268684128,
"ecx": 34543272
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1673
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874880,
"ebp": 2874960,
"edx": 0,
"ebx": 270267712,
"esi": 270267712,
"ecx": 34543336
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1674
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n6\n0\n1\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n5\na\na\na\n \n@\n \n0\nx\n1\n0\n0\n2\n5\na\na\na",
"registers": {
"esp": 2874920,
"edi": 1975271054,
"eax": 2874947,
"ebp": 2874960,
"edx": 0,
"ebx": 270267712,
"esi": 270267712,
"ecx": 34542896
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1675
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nb\ne\n5\n9\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n3\nc\n3\nd\n \n@\n \n0\nx\n1\n0\n0\n1\n3\nc\n3\nd\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\nc\nb\na\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\nc\n6\n4\n5\n \n@\n \n0\nx\n1\n0\n0\n2\nc\n6\n4\n5",
"registers": {
"esp": 2874840,
"edi": 1975271054,
"eax": 2874672,
"ebp": 2874880,
"edx": 0,
"ebx": 268687496,
"esi": 268687496,
"ecx": 34539848
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1676
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nb\ne\n5\n9\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n3\nc\n3\nd\n \n@\n \n0\nx\n1\n0\n0\n1\n3\nc\n3\nd\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\nc\nb\na\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\nc\n6\n4\n5\n \n@\n \n0\nx\n1\n0\n0\n2\nc\n6\n4\n5",
"registers": {
"esp": 2874840,
"edi": 1975271054,
"eax": 2874673,
"ebp": 2874880,
"edx": 0,
"ebx": 268687496,
"esi": 268687496,
"ecx": 34539848
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1677
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nb\ne\n5\n9\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n3\nc\n3\nd\n \n@\n \n0\nx\n1\n0\n0\n1\n3\nc\n3\nd\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\nc\nb\na\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\nc\n6\n4\n5\n \n@\n \n0\nx\n1\n0\n0\n2\nc\n6\n4\n5",
"registers": {
"esp": 2874840,
"edi": 1975271054,
"eax": 2874674,
"ebp": 2874880,
"edx": 0,
"ebx": 268687496,
"esi": 268687496,
"ecx": 34539848
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1678
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\n4\nc\nd\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\n5\nc\n9\n \n@\n \n0\nx\n1\n0\n0\n1\ne\n5\nc\n9",
"registers": {
"esp": 2873720,
"edi": 1975271054,
"eax": 2873648,
"ebp": 2873760,
"edx": 0,
"ebx": 268685964,
"esi": 268685964,
"ecx": 34539912
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0154,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 1712
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\n0\n1\ne\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\n7\n8\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\n7\n8",
"registers": {
"esp": 2873800,
"edi": 1975271054,
"eax": 2873648,
"ebp": 2873840,
"edx": 0,
"ebx": 268685876,
"esi": 268685876,
"ecx": 34539864
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0464,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2184
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nb\na\n8\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n4\n0\n0\n7\n \n@\n \n0\nx\n1\n0\n0\n1\n4\n0\n0\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nf\nd\na\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\nb\nc\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\nb\nc",
"registers": {
"esp": 2873748,
"edi": 1975271054,
"eax": 2873648,
"ebp": 2873788,
"edx": 0,
"ebx": 268687380,
"esi": 268687380,
"ecx": 34539816
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0464,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2185
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nb\na\n2\n6\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n4\n0\n7\n0\n \n@\n \n0\nx\n1\n0\n0\n1\n4\n0\n7\n0\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nf\nd\na\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\nb\nc\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\nb\nc",
"registers": {
"esp": 2873748,
"edi": 1975271054,
"eax": 2873648,
"ebp": 2873788,
"edx": 0,
"ebx": 268687360,
"esi": 268687360,
"ecx": 34539832
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0464,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2186
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\ne\n3\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\nc\n6\n2\n \n@\n \n0\nx\n1\n0\n0\n1\ne\nc\n6\n2",
"registers": {
"esp": 2873800,
"edi": 1975271054,
"eax": 2873648,
"ebp": 2873840,
"edx": 0,
"ebx": 268686424,
"esi": 268686424,
"ecx": 34539896
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208387.0624,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2251
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\n0\n1\ne\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\n7\n8\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\n7\n8",
"registers": {
"esp": 2872856,
"edi": 1975271054,
"eax": 2872882,
"ebp": 2872896,
"edx": 0,
"ebx": 268685876,
"esi": 268685876,
"ecx": 34539864
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208388.5314,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2469
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nb\na\n8\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n4\n0\n0\n7\n \n@\n \n0\nx\n1\n0\n0\n1\n4\n0\n0\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nf\nd\na\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\nb\nc\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\nb\nc",
"registers": {
"esp": 2872804,
"edi": 1975271054,
"eax": 2872626,
"ebp": 2872844,
"edx": 0,
"ebx": 268687380,
"esi": 268687380,
"ecx": 34539816
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208388.5314,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2470
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nb\na\n2\n6\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n4\n0\n7\n0\n \n@\n \n0\nx\n1\n0\n0\n1\n4\n0\n7\n0\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nf\nd\na\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\nb\nc\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\nb\nc",
"registers": {
"esp": 2872804,
"edi": 1975271054,
"eax": 2872625,
"ebp": 2872844,
"edx": 0,
"ebx": 268687360,
"esi": 268687360,
"ecx": 34539832
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208388.5314,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2471
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\nf\n7\n9\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\nd\nb\n1\nd\n \n@\n \n0\nx\n1\n0\n0\n1\nd\nb\n1\nd",
"registers": {
"esp": 58774568,
"edi": 1975271054,
"eax": 58774576,
"ebp": 58774608,
"edx": 0,
"ebx": 268686424,
"esi": 268686424,
"ecx": 34539896
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208388.5314,
"tid": 2952,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2475
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\nf\n6\nd\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\nd\nb\n2\n9\n \n@\n \n0\nx\n1\n0\n0\n1\nd\nb\n2\n9",
"registers": {
"esp": 58774556,
"edi": 1975271054,
"eax": 58774576,
"ebp": 58774596,
"edx": 0,
"ebx": 268686408,
"esi": 268686408,
"ecx": 34539880
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208388.5314,
"tid": 2952,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2476
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\ne\n3\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\nc\n6\n2\n \n@\n \n0\nx\n1\n0\n0\n1\ne\nc\n6\n2",
"registers": {
"esp": 2873800,
"edi": 1975271054,
"eax": 2873648,
"ebp": 2873840,
"edx": 0,
"ebx": 268686424,
"esi": 268686424,
"ecx": 34539896
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208388.5774,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2532
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\n0\n1\ne\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\n7\n8\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\n7\n8",
"registers": {
"esp": 2872856,
"edi": 1975271054,
"eax": 2872882,
"ebp": 2872896,
"edx": 0,
"ebx": 268685876,
"esi": 268685876,
"ecx": 34539864
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208390.6564,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2765
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n9\nb\n7\n2\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n5\nf\n2\n4\n \n@\n \n0\nx\n1\n0\n0\n1\n5\nf\n2\n4\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nC\nu\nr\ns\no\nr\n+\n0\nx\n2\n6\n3\n \nD\nr\na\nw\nS\nt\na\nt\ne\nW\n-\n0\nx\n3\n0\n1\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n3\nf\n9\n4\n3\n \n@\n \n0\nx\n7\n6\n3\nc\nf\n9\n4\n3\n\n\nG\ne\nt\nC\nu\nr\ns\no\nr\n+\n0\nx\na\n4\n \nD\nr\na\nw\nS\nt\na\nt\ne\nW\n-\n0\nx\n4\nc\n0\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n3\nf\n7\n8\n4\n \n@\n \n0\nx\n7\n6\n3\nc\nf\n7\n8\n4\n\n\nD\nr\na\nw\nT\ne\nx\nt\nE\nx\nA\n+\n0\nx\nd\n4\n \nC\nr\ne\na\nt\ne\nD\ni\na\nl\no\ng\nI\nn\nd\ni\nr\ne\nc\nt\nP\na\nr\na\nm\nA\n-\n0\nx\n7\nd\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\na\nf\na\nc\n \n@\n \n0\nx\n7\n6\n3\nb\na\nf\na\nc\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nW\ni\nn\nd\no\nw\n+\n0\nx\n3\nf\n0\n \nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n-\n0\nx\n1\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\n5\ne\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\n5\ne\n\n\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nA\n+\n0\nx\n4\nc\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n-\n0\nx\n7\n2\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n6\n1\n7\na\n \n@\n \n0\nx\n7\n6\n3\nb\n6\n1\n7\na\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nf\nf\n3\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\na\n3\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\na\n3",
"registers": {
"esp": 2869864,
"edi": 1975271054,
"eax": 2869859,
"ebp": 2869904,
"edx": 0,
"ebx": 34545304,
"esi": 34545304,
"ecx": 34543288
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208390.6564,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2766
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nc\na\n5\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n7\n3\nb\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n7\n3\nb\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n9\nb\n7\n2\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n5\nf\n2\n4\n \n@\n \n0\nx\n1\n0\n0\n1\n5\nf\n2\n4\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nC\nu\nr\ns\no\nr\n+\n0\nx\n2\n6\n3\n \nD\nr\na\nw\nS\nt\na\nt\ne\nW\n-\n0\nx\n3\n0\n1\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n3\nf\n9\n4\n3\n \n@\n \n0\nx\n7\n6\n3\nc\nf\n9\n4\n3\n\n\nG\ne\nt\nC\nu\nr\ns\no\nr\n+\n0\nx\na\n4\n \nD\nr\na\nw\nS\nt\na\nt\ne\nW\n-\n0\nx\n4\nc\n0\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n3\nf\n7\n8\n4\n \n@\n \n0\nx\n7\n6\n3\nc\nf\n7\n8\n4\n\n\nD\nr\na\nw\nT\ne\nx\nt\nE\nx\nA\n+\n0\nx\nd\n4\n \nC\nr\ne\na\nt\ne\nD\ni\na\nl\no\ng\nI\nn\nd\ni\nr\ne\nc\nt\nP\na\nr\na\nm\nA\n-\n0\nx\n7\nd\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\na\nf\na\nc\n \n@\n \n0\nx\n7\n6\n3\nb\na\nf\na\nc\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nW\ni\nn\nd\no\nw\n+\n0\nx\n3\nf\n0\n \nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n-\n0\nx\n1\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\n5\ne\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\n5\ne\n\n\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nA\n+\n0\nx\n4\nc\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n-\n0\nx\n7\n2\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n6\n1\n7\na\n \n@\n \n0\nx\n7\n6\n3\nb\n6\n1\n7\na\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nf\nf\n3\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\na\n3\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\na\n3",
"registers": {
"esp": 2869864,
"edi": 1975271054,
"eax": 2869859,
"ebp": 2869904,
"edx": 0,
"ebx": 268695284,
"esi": 268684128,
"ecx": 34543272
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208390.6564,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2767
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n9\nb\n2\nd\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n5\nf\n6\n9\n \n@\n \n0\nx\n1\n0\n0\n1\n5\nf\n6\n9\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nC\nu\nr\ns\no\nr\n+\n0\nx\n2\n6\n3\n \nD\nr\na\nw\nS\nt\na\nt\ne\nW\n-\n0\nx\n3\n0\n1\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n3\nf\n9\n4\n3\n \n@\n \n0\nx\n7\n6\n3\nc\nf\n9\n4\n3\n\n\nG\ne\nt\nC\nu\nr\ns\no\nr\n+\n0\nx\na\n4\n \nD\nr\na\nw\nS\nt\na\nt\ne\nW\n-\n0\nx\n4\nc\n0\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n3\nf\n7\n8\n4\n \n@\n \n0\nx\n7\n6\n3\nc\nf\n7\n8\n4\n\n\nD\nr\na\nw\nT\ne\nx\nt\nE\nx\nA\n+\n0\nx\nd\n4\n \nC\nr\ne\na\nt\ne\nD\ni\na\nl\no\ng\nI\nn\nd\ni\nr\ne\nc\nt\nP\na\nr\na\nm\nA\n-\n0\nx\n7\nd\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\na\nf\na\nc\n \n@\n \n0\nx\n7\n6\n3\nb\na\nf\na\nc\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nW\ni\nn\nd\no\nw\n+\n0\nx\n3\nf\n0\n \nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n-\n0\nx\n1\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\n5\ne\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\n5\ne\n\n\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nA\n+\n0\nx\n4\nc\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n-\n0\nx\n7\n2\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n6\n1\n7\na\n \n@\n \n0\nx\n7\n6\n3\nb\n6\n1\n7\na\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nf\nf\n3\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\na\n3\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\na\n3",
"registers": {
"esp": 2869844,
"edi": 1975271054,
"eax": 2869808,
"ebp": 2869884,
"edx": 0,
"ebx": 268687192,
"esi": 268687192,
"ecx": 34543368
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208390.6564,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2771
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nb\na\n8\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n4\n0\n0\n7\n \n@\n \n0\nx\n1\n0\n0\n1\n4\n0\n0\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nf\nd\na\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\nb\nc\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\nb\nc",
"registers": {
"esp": 2872804,
"edi": 1975271054,
"eax": 2872625,
"ebp": 2872844,
"edx": 0,
"ebx": 268687380,
"esi": 268687380,
"ecx": 34539816
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208390.6564,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2772
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nb\na\n2\n6\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n4\n0\n7\n0\n \n@\n \n0\nx\n1\n0\n0\n1\n4\n0\n7\n0\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nf\nd\na\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\nb\nc\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\nb\nc",
"registers": {
"esp": 2872804,
"edi": 1975271054,
"eax": 2872626,
"ebp": 2872844,
"edx": 0,
"ebx": 268687360,
"esi": 268687360,
"ecx": 34539832
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208390.6564,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2773
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\nf\n7\n9\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\nd\nb\n1\nd\n \n@\n \n0\nx\n1\n0\n0\n1\nd\nb\n1\nd",
"registers": {
"esp": 62377616,
"edi": 1975271054,
"eax": 62377520,
"ebp": 62377656,
"edx": 0,
"ebx": 268686424,
"esi": 268686424,
"ecx": 34539896
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208390.6564,
"tid": 2256,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2776
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\nf\n6\nd\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\nd\nb\n2\n9\n \n@\n \n0\nx\n1\n0\n0\n1\nd\nb\n2\n9",
"registers": {
"esp": 62377604,
"edi": 1975271054,
"eax": 62377520,
"ebp": 62377644,
"edx": 0,
"ebx": 268686408,
"esi": 268686408,
"ecx": 34539880
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208390.6564,
"tid": 2256,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2777
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\ne\n3\n4\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\nc\n6\n2\n \n@\n \n0\nx\n1\n0\n0\n1\ne\nc\n6\n2",
"registers": {
"esp": 2873800,
"edi": 1975271054,
"eax": 2873648,
"ebp": 2873840,
"edx": 0,
"ebx": 268686424,
"esi": 268686424,
"ecx": 34539896
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208390.6714,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2829
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\n0\n1\ne\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\n7\n8\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\n7\n8",
"registers": {
"esp": 2872856,
"edi": 1975271054,
"eax": 2872882,
"ebp": 2872896,
"edx": 0,
"ebx": 268685876,
"esi": 268685876,
"ecx": 34539864
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208392.7184,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 3042
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nb\na\n8\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n4\n0\n0\n7\n \n@\n \n0\nx\n1\n0\n0\n1\n4\n0\n0\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nf\nd\na\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\nb\nc\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\nb\nc",
"registers": {
"esp": 2872804,
"edi": 1975271054,
"eax": 2872626,
"ebp": 2872844,
"edx": 0,
"ebx": 268687380,
"esi": 268687380,
"ecx": 34539816
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208392.7184,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 3043
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nb\na\n2\n6\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n4\n0\n7\n0\n \n@\n \n0\nx\n1\n0\n0\n1\n4\n0\n7\n0\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nf\nd\na\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\na\nb\nc\n \n@\n \n0\nx\n1\n0\n0\n1\ne\na\nb\nc",
"registers": {
"esp": 2872804,
"edi": 1975271054,
"eax": 2872627,
"ebp": 2872844,
"edx": 0,
"ebx": 268687360,
"esi": 268687360,
"ecx": 34539832
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208392.7184,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 3044
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nb\n8\nd\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n4\n1\nb\n7\n \n@\n \n0\nx\n1\n0\n0\n1\n4\n1\nb\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\nf\n8\nc\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\nd\nb\n0\na\n \n@\n \n0\nx\n1\n0\n0\n1\nd\nb\n0\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 63285448,
"edi": 1975271054,
"eax": 63285299,
"ebp": 63285488,
"edx": 0,
"ebx": 268687380,
"esi": 268687380,
"ecx": 34539816
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208392.7184,
"tid": 3052,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 3047
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nb\n8\nd\n3\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\n4\n1\nc\n3\n \n@\n \n0\nx\n1\n0\n0\n1\n4\n1\nc\n3\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\nf\n8\nc\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\nd\nb\n0\na\n \n@\n \n0\nx\n1\n0\n0\n1\nd\nb\n0\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 63285436,
"edi": 1975271054,
"eax": 63285297,
"ebp": 63285476,
"edx": 0,
"ebx": 268687360,
"esi": 268687360,
"ecx": 34545392
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208392.7184,
"tid": 3052,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 3048
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\nf\n7\n9\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\nd\nb\n1\nd\n \n@\n \n0\nx\n1\n0\n0\n1\nd\nb\n1\nd",
"registers": {
"esp": 63295728,
"edi": 1975271054,
"eax": 63295792,
"ebp": 63295768,
"edx": 0,
"ebx": 268686424,
"esi": 268686424,
"ecx": 34539896
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208392.7344,
"tid": 3052,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 3065
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\nf\n6\nd\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\nd\nb\n2\n9\n \n@\n \n0\nx\n1\n0\n0\n1\nd\nb\n2\n9",
"registers": {
"esp": 63295716,
"edi": 1975271054,
"eax": 63295536,
"ebp": 63295756,
"edx": 0,
"ebx": 268686408,
"esi": 268686408,
"ecx": 34539880
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208392.7344,
"tid": 3052,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 3066
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nd\nb\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n8\n5\n5\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n8\n5\n5\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n+\n0\nx\n2\nb\n6\n1\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n2\n2\n5\nf\n7\n \n@\n \n0\nx\n1\n0\n0\n2\n2\n5\nf\n7\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\nb\n0\nf\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\ne\nf\n8\n7\n \n@\n \n0\nx\n1\n0\n0\n1\ne\nf\n8\n7\n\n\nG\ne\nt\nC\nu\nr\ns\no\nr\n+\n0\nx\n2\nf\nf\n \nD\nr\na\nw\nS\nt\na\nt\ne\nW\n-\n0\nx\n2\n6\n5\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n3\nf\n9\nd\nf\n \n@\n \n0\nx\n7\n6\n3\nc\nf\n9\nd\nf\n\n\nG\ne\nt\nC\nu\nr\ns\no\nr\n+\n0\nx\na\n4\n \nD\nr\na\nw\nS\nt\na\nt\ne\nW\n-\n0\nx\n4\nc\n0\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n3\nf\n7\n8\n4\n \n@\n \n0\nx\n7\n6\n3\nc\nf\n7\n8\n4\n\n\nD\nr\na\nw\nT\ne\nx\nt\nE\nx\nA\n+\n0\nx\nd\n4\n \nC\nr\ne\na\nt\ne\nD\ni\na\nl\no\ng\nI\nn\nd\ni\nr\ne\nc\nt\nP\na\nr\na\nm\nA\n-\n0\nx\n7\nd\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\na\nf\na\nc\n \n@\n \n0\nx\n7\n6\n3\nb\na\nf\na\nc\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nW\ni\nn\nd\no\nw\n+\n0\nx\n3\nf\n0\n \nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n-\n0\nx\n1\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\n5\ne\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\n5\ne\n\n\nS\ne\nt\nK\ne\ny\nb\no\na\nr\nd\nS\nt\na\nt\ne\n+\n0\nx\nb\nb\nd\n \nC\nl\ni\nI\nm\nm\nS\ne\nt\nH\no\nt\nK\ne\ny\n-\n0\nx\n1\n2\nc\n9\ne\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n4\n2\n0\n6\nf\n \n@\n \n0\nx\n7\n6\n3\nd\n2\n0\n6\nf\n\n\nC\nr\ne\na\nt\ne\nD\ni\na\nl\no\ng\nI\nn\nd\ni\nr\ne\nc\nt\nP\na\nr\na\nm\nA\no\nr\nW\n+\n0\nx\n3\n3\n \nC\nr\ne\na\nt\ne\nD\ni\na\nl\no\ng\nP\na\nr\na\nm\nW\n-\n0\nx\n9\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n4\n1\n0\nd\n3\n \n@\n \n0\nx\n7\n6\n3\nd\n1\n0\nd\n3\n\n\nC\nr\ne\na\nt\ne\nD\ni\na\nl\no\ng\nP\na\nr\na\nm\nA\n+\n0\nx\n4\na\n \nW\ni\nn\nH\ne\nl\np\nA\n-\n0\nx\n2\ne\nf\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n3\n5\n2\n9\n0\n \n@\n \n0\nx\n7\n6\n3\nc\n5\n2\n9\n0\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\nb\n5\na\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n1\nd\nf\n3\nc\n \n@\n \n0\nx\n1\n0\n0\n1\nd\nf\n3\nc\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 62443336,
"edi": 1975271054,
"eax": 62443314,
"ebp": 62443376,
"edx": 0,
"ebx": 268685964,
"esi": 268685964,
"ecx": 34539912
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208392.7494,
"tid": 2792,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 3096
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\n7\ne\n8\n5\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n7\nc\n1\n1\n \n@\n \n0\nx\n1\n0\n0\n0\n7\nc\n1\n1\n\n\nR\nu\nn\nI\nn\ns\nt\na\nl\nl\ne\nr\n-\n0\nx\n1\n7\n0\n6\ne\n \nl\ns\nb\n5\n7\nc\na\n+\n0\nx\n8\na\n2\n8\n \n@\n \n0\nx\n1\n0\n0\n0\n8\na\n2\n8",
"registers": {
"esp": 2881964,
"edi": 268677850,
"eax": 2881792,
"ebp": 2882004,
"edx": 268677850,
"ebx": 1975278155,
"esi": 268677850,
"ecx": 34545392
},
"exception": {
"instruction_r": "88 02 41 42 84 c0 75 f6 c7 45 fc fe ff ff ff 8b",
"symbol": "lstrcpy+0x18 GetWindowsDirectoryA-0x55 kernel32+0x32ab5",
"instruction": "mov byte ptr [edx], al",
"module": "kernel32.dll",
"exception_code": "0xc0000005",
"offset": 207541,
"address": "0x75be2ab5"
}
},
"time": 1566208392.9374,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 3381
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 1,
"families": [],
"description": "Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation",
"severity": 2,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceExW",
"return_value": 1,
"arguments": {
"root_path": "c:\\",
"free_bytes_available": 23511449600,
"total_number_of_free_bytes": 23511449600,
"total_number_of_bytes": 34252779520
},
"time": 1566208390.6564,
"tid": 2676,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 2770
}
],
"references": [],
"name": "antivm_disk_size"
},
{
"markcount": 2,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57BA.tmp",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\LSB57CA.tmp",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.0773279666901,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5226,
"time": 9.0803577899933,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7070,
"time": 3.013267993927,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7398,
"time": 1.0165557861328,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7726,
"time": 3.0221638679504,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8054,
"time": 1.6311187744141,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8382,
"time": -0.085448026657104,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8710,
"time": 1.0372879505157,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28120,
"time": 1.0375428199768,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36504,
"time": 3.1414968967438,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "c9151de2571cde175ccf9257b21e535ba6802f050386bc8a80a4d5b86c780c0c",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "756993b88c044ff9d1ece7edf7a75fd4c65a6f0f565d09115d90d47768497e12",
"irc": [],
"https_ex": []
}Screenshots
AriensPartnerPlusTps.exe removal instructions
The instructions below shows how to remove AriensPartnerPlusTps.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the AriensPartnerPlusTps.exe file for removal, restart your computer and scan it again to verify that AriensPartnerPlusTps.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate AriensPartnerPlusTps.exe in the scan result and tick the checkbox next to the AriensPartnerPlusTps.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate AriensPartnerPlusTps.exe in the scan result.
c:\downloads\AriensPartnerPlusTps.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the AriensPartnerPlusTps.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If AriensPartnerPlusTps.exe still remains in the scan result, proceed with the next step. If AriensPartnerPlusTps.exe is gone from the scan result you're done.
- If AriensPartnerPlusTps.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that AriensPartnerPlusTps.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 1cd8e7658fb0fa0d1d3378d69d670bd8 |
| SHA256 | 28558d9f49fc1dbfe232cfdce7b9865eaf6b527a359d086a47d829f656ac9e1b |
Error Messages
These are some of the error messages that can appear related to arienspartnerplustps.exe:
arienspartnerplustps.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
arienspartnerplustps.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
SetupBuilder has stopped working.
End Program - arienspartnerplustps.exe. This program is not responding.
arienspartnerplustps.exe is not a valid Win32 application.
arienspartnerplustps.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.