What is 087965.exe?
087965.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected 087965.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
087965.exe is not signed.
VirusTotal report
59 of the 72 anti-virus programs at VirusTotal detected the 087965.exe file. That's a 82% detection rate.
| Scanner | Detection Name |
|---|---|
| Ad-Aware | Trojan.GenericKD.2834866 |
| AegisLab | Trojan.Win32.Agent.4!c |
| AhnLab-V3 | Trojan/Win32.Upbot.R167116 |
| Alibaba | TrojanSpy:Win32/Agent.8dbc3100 |
| ALYac | Trojan.GenericKD.2834866 |
| Antiy-AVL | Trojan[Spy]/Win32.Agent |
| Arcabit | Trojan.Generic.D2B41B2 |
| Avast | Win32:Dorder-C [Trj] |
| AVG | Win32:Dorder-C [Trj] |
| Avira | HEUR/AGEN.1020981 |
| Baidu | Win32.Trojan.Kryptik.ps |
| BitDefender | Trojan.GenericKD.2834866 |
| Bkav | W32.TrosjackLTC.Trojan |
| CAT-QuickHeal | Ransom.Crowti.A4 |
| ClamAV | Win.Malware.Dridex-94 |
| Comodo | Malware@#t7fnljo060in |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.c771c9 |
| Cylance | Unsafe |
| DrWeb | Trojan.DownLoader17.33752 |
| Emsisoft | Trojan.GenericKD.2834866 (B) |
| Endgame | malicious (high confidence) |
| ESET-NOD32 | Win32/Dridex.P |
| F-Secure | Heuristic.HEUR/AGEN.1020981 |
| FireEye | Generic.mg.3650380c771c9bea |
| Fortinet | W32/Generic.AC.323CF9!tr |
| GData | Trojan.GenericKD.2834866 |
| Ikarus | Trojan.Win32.Crypt |
| Invincea | heuristic |
| Jiangmin | TrojanSpy.Agent.ypk |
| K7AntiVirus | Trojan ( 004beaac1 ) |
| K7GW | Trojan ( 004beaac1 ) |
| Kaspersky | Trojan-Spy.Win32.Agent.czkr |
| Malwarebytes | Trojan.Dridex |
| MAX | malware (ai score=100) |
| McAfee | GenericRXFB-MU!3650380C771C |
| McAfee-GW-Edition | BehavesLike.Win32.Ransomware.dm |
| Microsoft | Backdoor:Win32/Drixed.I |
| MicroWorld-eScan | Trojan.GenericKD.2834866 |
| NANO-Antivirus | Trojan.Win32.Agent.dyihgk |
| Paloalto | generic.ml |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | Win32/Trojan.Spy.081 |
| Rising | Trojan.Kryptik!1.A31F (CLASSIC) |
| SentinelOne | DFI - Suspicious PE |
| Sophos | Troj/Dridex-HX |
| SUPERAntiSpyware | Trojan.Agent/Gen-Dridex |
| Symantec | Trojan.Gen.2 |
| Tencent | Win32.Trojan-spy.Agent.Ljae |
| Trapmine | malicious.moderate.ml.score |
| TrendMicro | TSPY_DRIDEX.YYSOR |
| TrendMicro-HouseCall | TSPY_DRIDEX.YYSOR |
| VBA32 | TrojanSpy.Agent |
| VIPRE | Trojan.Win32.Generic!BT |
| ViRobot | Trojan.Win32.Kryptik.Gen.A |
| Webroot | Trojan.Dropper.Gen |
| Yandex | TrojanSpy.Agent!fRALZFyiwPc |
| Zillya | Trojan.Inject.Win32.182852 |
| ZoneAlarm | Trojan-Spy.Win32.Agent.czkr |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory"
],
"dll_loaded": [
"C:\\Windows\\System32\\mswsock.dll",
"DNSAPI.dll",
"ntdll.dll",
"shlwapi.dll",
"C:\\Windows\\system32\\napinsp.dll",
"C:\\Windows\\system32\\uxtheme.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"advapi32.dll",
"ole32.dll",
"CRYPTSP.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"RASMAN.DLL",
"rtutils.dll",
"IPHLPAPI.DLL",
"wininet.dll",
"ADVAPI32.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"DHCPCSVC.DLL",
"C:\\Windows\\System32\\winrnr.dll",
"C:\\Windows\\SysWOW64\\oleaut32.dll",
"shell32.dll",
"WS2_32.dll",
"user32.dll"
],
"connects_host": [
"221.132.35.56"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MozillaMaintenanceService",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RASMANCS",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DXM_Runtime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0398A685-FD8D-46B3-9816-C47319B0CF5f}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Volatile Environment",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
"HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data",
"HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MPlayer2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Avg\\SystemValues",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing",
"HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}",
"HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}"
],
"resolves_host": [
"wpad",
"cuckpc"
],
"mutex": [
"IESQMMUTEX_0_208"
],
"guid": [
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\InstallDate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0398A685-FD8D-46B3-9816-C47319B0CF5f}\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MozillaMaintenanceService\\DisplayVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DXM_Runtime\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MPlayer2\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0398A685-FD8D-46B3-9816-C47319B0CF5f}\\DisplayVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_CURRENT_USER\\Volatile Environment\\USERNAME",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MozillaMaintenanceService\\DisplayName"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\Windows\\System32\\ras\\*.pbk",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.pbk"
]
}Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\f34b930f9c34ad376295db9aaaad6016b64fd78df25bb920531eef2224628ecd.bin",
"process_name": "f34b930f9c34ad376295db9aaaad6016b64fd78df25bb920531eef2224628ecd.bin",
"pid": 2816,
"summary": {
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory"
],
"dll_loaded": [
"C:\\Windows\\System32\\mswsock.dll",
"DNSAPI.dll",
"ntdll.dll",
"shlwapi.dll",
"C:\\Windows\\system32\\napinsp.dll",
"C:\\Windows\\system32\\uxtheme.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"advapi32.dll",
"ole32.dll",
"CRYPTSP.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"RASMAN.DLL",
"rtutils.dll",
"IPHLPAPI.DLL",
"wininet.dll",
"ADVAPI32.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"DHCPCSVC.DLL",
"C:\\Windows\\System32\\winrnr.dll",
"C:\\Windows\\SysWOW64\\oleaut32.dll",
"shell32.dll",
"WS2_32.dll",
"user32.dll"
],
"connects_host": [
"221.132.35.56"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MozillaMaintenanceService",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RASMANCS",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DXM_Runtime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0398A685-FD8D-46B3-9816-C47319B0CF5f}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Volatile Environment",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
"HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data",
"HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MPlayer2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Avg\\SystemValues",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing",
"HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}",
"HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}"
],
"resolves_host": [
"wpad",
"cuckpc"
],
"mutex": [
"IESQMMUTEX_0_208"
],
"guid": [
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\InstallDate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0398A685-FD8D-46B3-9816-C47319B0CF5f}\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MozillaMaintenanceService\\DisplayVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DXM_Runtime\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MPlayer2\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0398A685-FD8D-46B3-9816-C47319B0CF5f}\\DisplayVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_CURRENT_USER\\Volatile Environment\\USERNAME",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MozillaMaintenanceService\\DisplayName"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\Windows\\System32\\ras\\*.pbk",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.pbk"
]
},
"first_seen": 1577530385.609375,
"ppid": 2016
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1577530385.34375,
"ppid": 376
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741515,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577530385.718375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 48
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)",
"severity": 1,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\InstallDate",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "recon_fingerprint"
},
{
"markcount": 1,
"families": [],
"description": "The file contains an unknown PE resource name possibly indicative of a packer",
"severity": 1,
"marks": [
{
"category": "resource name",
"ioc": "XUI",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_unknown_resource_name"
},
{
"markcount": 20,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 0,
"ebx": 1,
"esi": 164,
"ecx": 164
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.359375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6062
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 1076,
"ebx": 1435,
"esi": 40,
"ecx": 40
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.359375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6064
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 5172,
"ebx": 6897,
"esi": 249,
"ecx": 249
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.359375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6066
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 9268,
"ebx": 12358,
"esi": 172,
"ecx": 172
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6068
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 13364,
"ebx": 17819,
"esi": 167,
"ecx": 167
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6070
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 17460,
"ebx": 23281,
"esi": 195,
"ecx": 195
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6072
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 21556,
"ebx": 28742,
"esi": 207,
"ecx": 207
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6074
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 25652,
"ebx": 34203,
"esi": 141,
"ecx": 141
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6076
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 29748,
"ebx": 39665,
"esi": 11,
"ecx": 11
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6078
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 33844,
"ebx": 45126,
"esi": 69,
"ecx": 69
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6080
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 37940,
"ebx": 50587,
"esi": 11,
"ecx": 11
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6082
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 42036,
"ebx": 56049,
"esi": 141,
"ecx": 141
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6084
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 46132,
"ebx": 61510,
"esi": 131,
"ecx": 131
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6086
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 50228,
"ebx": 66971,
"esi": 114,
"ecx": 114
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6088
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 4475852,
"ebp": 1615928,
"edx": 54324,
"ebx": 72433,
"esi": 84,
"ecx": 84
},
"exception": {
"instruction_r": "88 0c 10 ff 85 d4 fe ff ff 43 ff 8d c0 fd ff ff",
"instruction": "mov byte ptr [eax + edx], cl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b129"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6090
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 58420,
"ebp": 1615928,
"edx": 4534312,
"ebx": 1620744,
"esi": 18,
"ecx": 4475852
},
"exception": {
"instruction_r": "88 14 01 8d 50 01 8b 8d 6c ff ff ff 33 51 08 8d",
"instruction": "mov byte ptr [ecx + eax], dl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b168"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6092
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 62516,
"ebp": 1615928,
"edx": 4538449,
"ebx": 1620744,
"esi": 18,
"ecx": 4475852
},
"exception": {
"instruction_r": "88 14 01 8d 50 01 8b 8d 6c ff ff ff 33 51 08 8d",
"instruction": "mov byte ptr [ecx + eax], dl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b168"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6094
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 66612,
"ebp": 1615928,
"edx": 4542692,
"ebx": 1620744,
"esi": 18,
"ecx": 4475852
},
"exception": {
"instruction_r": "88 14 01 8d 50 01 8b 8d 6c ff ff ff 33 51 08 8d",
"instruction": "mov byte ptr [ecx + eax], dl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b168"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6096
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 70708,
"ebp": 1615928,
"edx": 4546639,
"ebx": 1620744,
"esi": 18,
"ecx": 4475852
},
"exception": {
"instruction_r": "88 14 01 8d 50 01 8b 8d 6c ff ff ff 33 51 08 8d",
"instruction": "mov byte ptr [ecx + eax], dl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b168"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6098
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n1\nc\n6\n0\n4\n2\nc\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n3\n4\ne\n4\n \n@\n \n0\nx\n4\n0\n3\n4\ne\n4\n\n\nf\n3\n4\nb\n9\n3\n0\nf\n9\nc\n3\n4\na\nd\n3\n7\n6\n2\n9\n5\nd\nb\n9\na\na\na\na\nd\n6\n0\n1\n6\nb\n6\n4\nf\nd\n7\n8\nd\nf\n2\n5\nb\nb\n9\n2\n0\n5\n3\n1\ne\ne\nf\n2\n2\n2\n4\n6\n2\n8\ne\nc\nd\n+\n0\nx\n4\n9\n9\n3\n \n@\n \n0\nx\n4\n0\n4\n9\n9\n3\n\n\nB\na\ns\ne\nT\nh\nr\ne\na\nd\nI\nn\ni\nt\nT\nh\nu\nn\nk\n+\n0\nx\n1\n2\n \nV\ne\nr\ni\nf\ny\nC\no\nn\ns\no\nl\ne\nI\no\nH\na\nn\nd\nl\ne\n-\n0\nx\nb\n3\n \nk\ne\nr\nn\ne\nl\n3\n2\n+\n0\nx\n1\n3\n3\nc\na\n \n@\n \n0\nx\n7\n5\nb\nc\n3\n3\nc\na\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1612516,
"edi": 47,
"eax": 74804,
"ebp": 1615928,
"edx": 4550868,
"ebx": 1620744,
"esi": 18,
"ecx": 4475852
},
"exception": {
"instruction_r": "88 14 01 8d 50 01 8b 8d 6c ff ff ff 33 51 08 8d",
"instruction": "mov byte ptr [ecx + eax], dl",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x18b168"
}
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6100
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 4,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 86016,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01e50000"
},
"time": 1577530388.359375,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 6061
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 94208,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01e70000"
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 6102
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x01e90000"
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 6103
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 106496,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x00400000"
},
"time": 1577530388.374375,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 6105
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "GetAdaptersAddresses",
"return_value": 111,
"arguments": {
"flags": 0,
"family": 0
},
"time": 1577530389.468375,
"tid": 2820,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6659
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 16,
"families": [],
"description": "Queries for potentially installed applications",
"severity": 2,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x80000002",
"key_handle": "0x00000190",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"regkey_r": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6205
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AddressBook",
"regkey_r": "AddressBook",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6223
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Connection Manager",
"regkey_r": "Connection Manager",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6226
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DirectDrawEx",
"regkey_r": "DirectDrawEx",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6229
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\DXM_Runtime",
"regkey_r": "DXM_Runtime",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6232
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fontcore",
"regkey_r": "Fontcore",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6235
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE40",
"regkey_r": "IE40",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6238
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE4Data",
"regkey_r": "IE4Data",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6241
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IE5BAKEX",
"regkey_r": "IE5BAKEX",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6244
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\IEData",
"regkey_r": "IEData",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6247
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MobileOptionPack",
"regkey_r": "MobileOptionPack",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6250
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MozillaMaintenanceService",
"regkey_r": "MozillaMaintenanceService",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6253
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MPlayer2",
"regkey_r": "MPlayer2",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6261
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SchedulingAgent",
"regkey_r": "SchedulingAgent",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6264
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WIC",
"regkey_r": "WIC",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6267
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x00020109",
"base_handle": "0x00000190",
"key_handle": "0x00000194",
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0398A685-FD8D-46B3-9816-C47319B0CF5f}",
"regkey_r": "{0398A685-FD8D-46B3-9816-C47319B0CF5f}",
"options": 0
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6270
}
],
"references": [],
"name": "queries_programs"
},
{
"markcount": 1,
"families": [],
"description": "Attempts to identify installed AV products by registry key",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Avg\\SystemValues",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antiav_detectreg"
},
{
"markcount": 6,
"families": [
"dridex"
],
"description": "Exhibits behavior characteristic of Dridex malware",
"severity": 3,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegQueryValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x00000190",
"value": "CUCKPC",
"regkey_r": "ComputerName",
"reg_type": 1,
"regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ComputerName\\ComputerName"
},
"time": 1577530388.390375,
"tid": 2420,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 2816,
"type": "call",
"cid": 6171
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegQueryValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x00000190",
"value": "cuck",
"regkey_r": "USERNAME",
"reg_type": 1,
"regkey": "HKEY_CURRENT_USER\\Volatile Environment\\USERNAME"
},
"time": 1577530388.390375,
"tid": 2420,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 2816,
"type": "call",
"cid": 6177
},
{
"call": {
"category": "crypto",
"status": 1,
"stacktrace": [],
"api": "CryptHashData",
"return_value": 1,
"arguments": {
"buffer": "CUCKPCcuck\u0000\u00e5U$[\u0000\u0000\u0000\u0000",
"flags": 0,
"hash_handle": "0x002de778"
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6194
},
{
"call": {
"category": "network",
"status": 1,
"stacktrace": [],
"api": "InternetConnectW",
"return_value": 13369352,
"arguments": {
"username": "",
"service": 3,
"hostname": "221.132.35.56",
"internet_handle": "0x00cc0004",
"flags": 0,
"password": "",
"port": 8843
},
"time": 1577530389.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6282
},
{
"call": {
"category": "network",
"status": 1,
"stacktrace": [],
"api": "HttpOpenRequestW",
"return_value": 13369356,
"arguments": {
"connect_handle": "0x00cc0008",
"http_version": "",
"flags": 8401408,
"http_method": "POST",
"referer": "",
"path": "\/"
},
"time": 1577530389.405375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6284
},
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 12029,
"nt_status": 0,
"api": "HttpSendRequestW",
"return_value": 0,
"arguments": {
"headers": "",
"request_handle": "0x00cc000c",
"post_data": "j\u00b1O\u009b\u00c7\u0080\u009c\u00f3\u00c3>s\u00f3<`\u00f6\u00ea\u00b2\u0097\u00bb\u001fT\u009a\u00a0\u009d\u00a4\u008b\u00843\u00b7\u0013\u00e7R|p\bzj\u00e4w\u0099\u00e6\u00b6p\u00af\u00f8\u00a4!;\u0095\u00afSV+\u00e8\u00fey$\u00f9Jy6\u0097\u00fd\u00af\u00d5v\u0017\u0095$\"\u0010c\u00bf\u00f0[\u0000G^\u0085@\u008f.\u00f2dZ\u00c8\u00f1\u00d1\u0013\u0005\u00dd\u00bd\u0097\u0081\u0096\u00ee\u00df)>g?\u00c5\u00bb\u00e5\u000b\u00ee|\u0093\u00dacm\u0085Vk\u001a\u00b2\u00b2-\u001e\u0082\u00ca\u008f\"p\u00b1\u00eb{\u0090\u00f3\u0095Z\u00a7\u0080\u0003\u00d9\u0080[dD5\u0010D\u00e4j\u00be\u00afB\u009a1\u0095\u00bd\u0095\u00c8J\u0093\u008b\u00a1f\u00d9\u00b4Z9|\u000e+}=\u001b0\u009a\u00bc\u00f9\u00cdS\u00fb\u00ae\n\u008a8\u00de\u00f8\u0016\u001c)\u0003hHu\u00ee[fk,k\u0090N#f\u00a3\u00d0n[\u00d9\u00cePl\u0014f\u00fb\u00f6\u00feF\u00d5\u00e8[u\u00c7\u00af\u0089\u0093^\u00e4\u0014\u000f\u00b2\u00a3\u00e3\\\u00fdY\u009b\u00f1\u00db\u0091tZ\u0003\u001c\u0095O\u0091"
},
"time": 1577530389.421375,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 6467
}
],
"references": [],
"name": "dridex_behavior"
},
{
"markcount": 2,
"families": [],
"description": "Collects information about installed applications",
"severity": 3,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegQueryValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x00000194",
"value": "Mozilla Maintenance Service",
"regkey_r": "DisplayName",
"reg_type": 1,
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MozillaMaintenanceService\\DisplayName"
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 2816,
"type": "call",
"cid": 6255
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegQueryValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x00000194",
"value": "Python 2.7.14 (64-bit)",
"regkey_r": "DisplayName",
"reg_type": 1,
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{0398A685-FD8D-46B3-9816-C47319B0CF5f}\\DisplayName"
},
"time": 1577530388.405375,
"tid": 2420,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 2816,
"type": "call",
"cid": 6272
}
],
"references": [],
"name": "recon_programs"
},
{
"markcount": 5,
"families": [],
"description": "Sets or modifies WPAD proxy autoconfiguration file for traffic interception",
"severity": 3,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x000003a8",
"value": 1,
"regkey_r": "WpadDecisionReason",
"reg_type": 4,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason"
},
"time": 1577530392.030375,
"tid": 2820,
"flags": {
"reg_type": "REG_DWORD"
}
},
"pid": 2816,
"type": "call",
"cid": 6674
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x000003a8",
"value": "\u00e0\u0017\u0015\u00a2\u00bd\u00d5\u0001",
"regkey_r": "WpadDecisionTime",
"reg_type": 3,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime"
},
"time": 1577530392.030375,
"tid": 2820,
"flags": {
"reg_type": "REG_BINARY"
}
},
"pid": 2816,
"type": "call",
"cid": 6675
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x000003a8",
"value": 3,
"regkey_r": "WpadDecision",
"reg_type": 4,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision"
},
"time": 1577530392.030375,
"tid": 2820,
"flags": {
"reg_type": "REG_DWORD"
}
},
"pid": 2816,
"type": "call",
"cid": 6676
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExW",
"return_value": 0,
"arguments": {
"key_handle": "0x000003a8",
"value": "Unidentified network",
"regkey_r": "WpadNetworkName",
"reg_type": 1,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName"
},
"time": 1577530392.030375,
"tid": 2820,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 2816,
"type": "call",
"cid": 6677
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExW",
"return_value": 0,
"arguments": {
"key_handle": "0x000003a4",
"value": "{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"regkey_r": "WpadLastNetwork",
"reg_type": 1,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork"
},
"time": 1577530392.046375,
"tid": 2820,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 2816,
"type": "call",
"cid": 6745
}
],
"references": [],
"name": "modifies_proxy_wpad"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.1256558895111084,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5874,
"time": 9.172860860824585,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7718,
"time": 3.033620834350586,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8046,
"time": 1.0336987972259521,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8374,
"time": 3.078831911087036,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8702,
"time": 1.5357558727264404,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9030,
"time": -0.0975790023803711,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9358,
"time": 5.658097982406616,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 9678,
"time": 1.5468108654022217,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 29088,
"time": 1.062474012374878,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 37472,
"time": 3.12742280960083,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "45817863795398898d52333119b0bd67aa1c96ae68085da421e083e4a9134b39",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "9d60fef675bc197da30cb33284f4102da714931abe4d6633e0a107fbf45a705b",
"irc": [],
"https_ex": []
}Screenshots
087965.exe removal instructions
The instructions below shows how to remove 087965.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the 087965.exe file for removal, restart your computer and scan it again to verify that 087965.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate 087965.exe in the scan result and tick the checkbox next to the 087965.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate 087965.exe in the scan result.
c:\downloads\087965.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the 087965.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If 087965.exe still remains in the scan result, proceed with the next step. If 087965.exe is gone from the scan result you're done.
- If 087965.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that 087965.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 3650380c771c9bea44a809044dffbb9d |
| SHA256 | f34b930f9c34ad376295db9aaaad6016b64fd78df25bb920531eef2224628ecd |
Error Messages
These are some of the error messages that can appear related to 087965.exe:
087965.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
087965.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
087965.exe has stopped working.
End Program - 087965.exe. This program is not responding.
087965.exe is not a valid Win32 application.
087965.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with 087965.exe?
To help other users, please let us know what you will do with 087965.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.