What is 45gredcs.exe?
45gredcs.exe is usually located in the 'C:\ProgramData\UBlockPlugin\' folder.
Some of the anti-virus scanners at VirusTotal detected 45gredcs.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
45gredcs.exe is not signed.
VirusTotal report
49 of the 72 anti-virus programs at VirusTotal detected the 45gredcs.exe file. That's a 68% detection rate.
| Scanner | Detection Name |
|---|---|
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Symmi.94097 |
| AegisLab | Trojan.Win32.Generic.4!c |
| AhnLab-V3 | Trojan/Win32.Generic.C3827424 |
| Alibaba | Packed:Win32/Themida.64ebb009 |
| ALYac | Gen:Variant.Symmi.94097 |
| APEX | Malicious |
| Arcabit | Trojan.Symmi.D16F91 |
| Avast | Win32:PWSX-gen [Trj] |
| AVG | Win32:PWSX-gen [Trj] |
| Avira | TR/Crypt.TPM.Gen |
| BitDefender | Gen:Variant.Symmi.94097 |
| BitDefenderTheta | Gen:NN.ZexaF.33558.aAWaaCuqsqi |
| Bkav | W32.HfsAutoB. |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.44a395 |
| Cylance | Unsafe |
| Cyren | W32/S-1a32a0f0!Eldorado |
| eGambit | Unsafe.AI_Score_98% |
| Emsisoft | Gen:Variant.Symmi.94097 (B) |
| Endgame | malicious (high confidence) |
| ESET-NOD32 | a variant of Win32/Packed.Themida.AZN |
| F-Prot | W32/S-1a32a0f0!Eldorado |
| F-Secure | Trojan.TR/Crypt.TPM.Gen |
| FireEye | Generic.mg.cfe430475fe15205 |
| Fortinet | W32/Generic!tr |
| GData | Gen:Variant.Symmi.94097 |
| Ikarus | Trojan.Win32.Themida |
| Invincea | heuristic |
| K7AntiVirus | Trojan ( 0040f4ef1 ) |
| K7GW | Trojan ( 0040f4ef1 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=83) |
| McAfee | Artemis!CFE430475FE1 |
| McAfee-GW-Edition | BehavesLike.Win32.Adware.vc |
| Microsoft | Trojan:Win32/Dynamer!rfn |
| MicroWorld-eScan | Gen:Variant.Symmi.94097 |
| Paloalto | generic.ml |
| Panda | Trj/CI.A |
| Qihoo-360 | Win32/Trojan.PWS.d75 |
| Rising | Trojan.Generic@ML.100 (RDML:TtqCmRAlpuBdBh/7ogGPQw) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/Generic-S |
| Symantec | ML.Attribute.HighConfidence |
| Trapmine | malicious.high.ml.score |
| VBA32 | BScope.Trojan-Dropper.Inject |
| Webroot | W32.Trojan.TR.Crypt.TPM |
| ZoneAlarm | HEUR:Trojan.Win32.Generic |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\ProgramData\\UBlockPlugin\\plugin.exe"
],
"directory_created": [
"C:\\ProgramData\\UBlockPlugin"
],
"dll_loaded": [
"winmm.dll",
"DNSAPI.dll",
"KERNEL32.dll",
"ntdll.dll",
"cryptsp.dll",
"winhttp.dll",
"CFGMGR32.dll",
"SspiCli.dll",
"advapi32.dll",
"ole32.dll",
"SHLWAPI.dll",
"USER32.dll",
"credssp.dll",
"IPHLPAPI.DLL",
"ADVAPI32.dll",
"NTDLL.dll",
"RPCRT4.dll",
"C:\\Windows\\System32\\wship6.dll",
"NSI.dll",
"NTDLL",
"kernel32.dll",
"C:\\Windows\\system32\\mswsock.dll",
"shell32.dll",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"WS2_32.dll",
"user32.dll",
"Winhttp.dll"
],
"file_failed": [
"\\??\\NTICE",
"\\??\\SICE",
"\\??\\SIWVID"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentDockInfo",
"HKEY_LOCAL_MACHINE\\Hardware\\description\\System",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp",
"HKEY_CURRENT_USER\\Software\\Wine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\IDConfigDB",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache"
],
"resolves_host": [
"loy02.top",
"loy01.top"
],
"file_written": [
"C:\\ProgramData\\UBlockPlugin\\plugin.exe"
],
"file_deleted": [
"C:\\ProgramData\\UBlockPlugin\\plugin.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin"
],
"file_opened": [
"C:\\Windows\\System32\\ntdll.dll",
"c:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\ProgramData\\UBlockPlugin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"C:\\ProgramData\\UBlockPlugin\\plugin.exe"
],
"command_line": [
"C:\\ProgramData\\UBlockPlugin\\plugin.exe \"C:\\Users\\cuck\\AppData\\Local\\Temp\\8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin\" ensgJJ",
"C:\\ProgramData\\UBlockPlugin\\plugin.exe"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"C:\\Windows\\System32\\ntdll.dll",
"C:\\ProgramData\\UBlockPlugin\\plugin.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentConfig",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentDockInfo\\DockingState",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001\\FriendlyName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001\\HwProfileGuid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell"
]
}Dropped
[
{
"yara": [
{
"meta": {
"description": "Possibly employs anti-virtualization techniques",
"author": "nex"
},
"name": "vmdetect",
"offsets": {
"virtualpc": [
[
939410,
0
]
]
},
"strings": [
"Dz8HCw=="
]
}
],
"sha1": "e741c3844a39529a8231dbda9066c3ff0187a05f",
"name": "8a1702f42123de7e_8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f",
"urls": [],
"crc32": "52336DF0",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4655\/files\/8a1702f42123de7e_8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"ssdeep": null,
"size": 2104832,
"sha512": "9bd61986c0e9db977e4b2a07de00d2ea20d6e747fa72d521f2ee8638d7471f7f718de138f08a0a1ab3b48f94d83f296fff5786e5b70b0dc8144fd1ece26e835b",
"pids": [],
"md5": "cfe430475fe152057fb6690ea227c6d1"
}
]Generic
[
{
"process_path": "C:\\ProgramData\\UBlockPlugin\\plugin.exe",
"process_name": "plugin.exe",
"pid": 2056,
"summary": {
"directory_created": [
"C:\\ProgramData\\UBlockPlugin"
],
"dll_loaded": [
"winmm.dll",
"DNSAPI.dll",
"KERNEL32.dll",
"ntdll.dll",
"cryptsp.dll",
"winhttp.dll",
"CFGMGR32.dll",
"SspiCli.dll",
"advapi32.dll",
"ole32.dll",
"SHLWAPI.dll",
"USER32.dll",
"credssp.dll",
"IPHLPAPI.DLL",
"ADVAPI32.dll",
"NTDLL.dll",
"RPCRT4.dll",
"C:\\Windows\\System32\\wship6.dll",
"NSI.dll",
"NTDLL",
"kernel32.dll",
"C:\\Windows\\system32\\mswsock.dll",
"shell32.dll",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"WS2_32.dll",
"user32.dll",
"Winhttp.dll"
],
"file_failed": [
"\\??\\NTICE",
"\\??\\SICE",
"\\??\\SIWVID"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentDockInfo",
"HKEY_LOCAL_MACHINE\\Hardware\\description\\System",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp",
"HKEY_CURRENT_USER\\Software\\Wine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\IDConfigDB",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache"
],
"resolves_host": [
"loy02.top",
"loy01.top"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin"
],
"file_opened": [
"C:\\Windows\\System32\\ntdll.dll",
"c:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\ProgramData\\UBlockPlugin",
"C:\\ProgramData\\UBlockPlugin\\plugin.exe"
],
"command_line": [
"C:\\ProgramData\\UBlockPlugin\\plugin.exe"
],
"file_read": [
"C:\\Windows\\System32\\ntdll.dll",
"C:\\ProgramData\\UBlockPlugin\\plugin.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentConfig",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\CurrentDockInfo\\DockingState",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001\\FriendlyName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001\\HwProfileGuid",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell"
]
},
"first_seen": 1577731987.234375,
"ppid": 1664
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"process_name": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"pid": 1664,
"summary": {
"file_created": [
"C:\\ProgramData\\UBlockPlugin\\plugin.exe"
],
"directory_created": [
"C:\\ProgramData\\UBlockPlugin"
],
"dll_loaded": [
"NTDLL",
"winmm.dll",
"advapi32.dll",
"KERNEL32.dll",
"shell32.dll",
"kernel32.dll",
"user32.dll",
"ntdll.dll",
"ADVAPI32.dll",
"NTDLL.dll",
"USER32.dll",
"Winhttp.dll"
],
"file_failed": [
"\\??\\NTICE",
"\\??\\SICE",
"\\??\\SIWVID"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_LOCAL_MACHINE\\Hardware\\description\\System",
"HKEY_CURRENT_USER\\Software\\Wine",
"HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__"
],
"file_written": [
"C:\\ProgramData\\UBlockPlugin\\plugin.exe"
],
"file_deleted": [
"C:\\ProgramData\\UBlockPlugin\\plugin.exe"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"command_line": [
"C:\\ProgramData\\UBlockPlugin\\plugin.exe \"C:\\Users\\cuck\\AppData\\Local\\Temp\\8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin\" ensgJJ"
],
"file_read": [
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US"
]
},
"first_seen": 1577731986.59375,
"ppid": 2456
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1577731986.375,
"ppid": 376
}
]Signatures
[
{
"markcount": 4,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 0,
"stacktrace": [],
"last_error": 111,
"nt_status": -1073741568,
"api": "GetComputerNameW",
"return_value": 0,
"arguments": {
"computer_name": ""
},
"time": 1577731994.468375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5609
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1577731994.468375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5611
},
{
"call": {
"category": "misc",
"status": 0,
"stacktrace": [],
"last_error": 111,
"nt_status": -1073741568,
"api": "GetComputerNameW",
"return_value": 0,
"arguments": {
"computer_name": ""
},
"time": 1577731994.484375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5653
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1577731994.484375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5655
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 60,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5444
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577731987.749375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5294
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577731989.843375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5488
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577731991.859375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5502
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577731993.968375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5586
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577731995.984375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5951
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577731997.999375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6052
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732000.015375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6121
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732002.030375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6213
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732004.046375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6283
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732006.062375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6356
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732008.077375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6451
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732010.093375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6463
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732012.109375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6482
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732014.124375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6494
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732016.140375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6513
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732018.155375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6525
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732020.171375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6546
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732022.187375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6561
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732024.202375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6575
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732026.218375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6593
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732028.234375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6605
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732030.249375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6624
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732032.265375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6636
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732034.280375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6655
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732036.296375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6667
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732038.312375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6681
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732040.327375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6698
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732042.343375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6710
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732044.359375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6729
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732046.374375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6741
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732048.390375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6760
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732050.405375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6772
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732052.421375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6788
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732054.437375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6803
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732056.452375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6818
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732058.468375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6837
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732060.484375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6849
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732062.499375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6871
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732064.515375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6883
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732066.530375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6902
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732068.546375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6931
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732070.562375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6945
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732072.577375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6962
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732074.593375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6974
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732076.609375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 6993
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732078.624375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 7005
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732080.640375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 7024
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732082.655375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 7036
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1577732084.671375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 7052
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1577731994.515375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5799
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 5,
"families": [],
"description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
"severity": 1,
"marks": [
{
"category": "section",
"ioc": " \\x00 ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": ".idata ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": " ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": "czjzjtyj",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": "pdsijnhx",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_features"
},
{
"markcount": 242,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 3669404,
"edi": 0,
"eax": 1,
"ebp": 3669420,
"edx": 1062641664,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"exception": {
"instruction_r": "fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x3010b9",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 3150009,
"address": "0x3f3710b9"
}
},
"time": 1577731986.70275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 0
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669368,
"edi": 1057852925,
"eax": 27711,
"ebp": 752906260,
"edx": 1057423360,
"ebx": 516525928,
"esi": 3,
"ecx": 1975386112
},
"exception": {
"instruction_r": "fb 52 ba d3 c2 ff 7f f7 da e9 cc 03 00 00 87 2c",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x690e9",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 430313,
"address": "0x3f0d90e9"
}
},
"time": 1577731986.70275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 1
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669372,
"edi": 1057855808,
"eax": 240873,
"ebp": 752906260,
"edx": 1057423360,
"ebx": 516525928,
"esi": 3,
"ecx": 0
},
"exception": {
"instruction_r": "fb 81 ec 04 00 00 00 89 0c 24 c7 04 24 e0 19 ff",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x698d0",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 432336,
"address": "0x3f0d98d0"
}
},
"time": 1577731986.71875,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 2
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669368,
"edi": 1057855808,
"eax": 1057857104,
"ebp": 752906260,
"edx": 969721469,
"ebx": 516525928,
"esi": 3,
"ecx": 0
},
"exception": {
"instruction_r": "fb 05 51 74 ff 64 83 ec 04 89 1c 24 83 ec 04 89",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x6a1af",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 434607,
"address": "0x3f0da1af"
}
},
"time": 1577731986.71875,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 3
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669372,
"edi": 0,
"eax": 1057860333,
"ebp": 752906260,
"edx": 969721469,
"ebx": 516525928,
"esi": 1259,
"ecx": 0
},
"exception": {
"instruction_r": "fb 83 ec 04 89 3c 24 89 e7 51 52 51 68 d6 7f 39",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x6aa9e",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 436894,
"address": "0x3f0daa9e"
}
},
"time": 1577731986.71875,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 4
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669372,
"edi": 735721,
"eax": 4294943824,
"ebp": 752906260,
"edx": 1059468040,
"ebx": 47055566,
"esi": 1059424351,
"ecx": 718
},
"exception": {
"instruction_r": "fb 57 89 e7 55 e9 55 fb ff ff 5c e9 34 03 00 00",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x1ed381",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2020225,
"address": "0x3f25d381"
}
},
"time": 1577731986.71875,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 10
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669372,
"edi": 735721,
"eax": 1059478870,
"ebp": 752906260,
"edx": 1365984085,
"ebx": 47055566,
"esi": 1059424351,
"ecx": 446260264
},
"exception": {
"instruction_r": "fb 68 0f e9 57 32 89 34 24 54 5e 81 c6 04 00 00",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x1ef69a",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2029210,
"address": "0x3f25f69a"
}
},
"time": 1577731986.71875,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 11
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669372,
"edi": 0,
"eax": 1059452954,
"ebp": 752906260,
"edx": 1549541099,
"ebx": 47055566,
"esi": 1059424351,
"ecx": 446260264
},
"exception": {
"instruction_r": "fb 52 ba 0e 8e fe 58 e9 b6 fb ff ff 41 e9 ec 02",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x1ef134",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2027828,
"address": "0x3f25f134"
}
},
"time": 1577731986.71875,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 12
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669368,
"edi": 8269040,
"eax": 1059480266,
"ebp": 752906260,
"edx": 1057878495,
"ebx": 1059452980,
"esi": 63540,
"ecx": 1059452980
},
"exception": {
"instruction_r": "fb e9 66 01 00 00 83 c4 04 e9 97 03 00 00 89 0c",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x1f6a6c",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2058860,
"address": "0x3f266a6c"
}
},
"time": 1577731986.71875,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 16
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669372,
"edi": 4294944212,
"eax": 1059506289,
"ebp": 752906260,
"edx": 1057878495,
"ebx": 1059452980,
"esi": 1114345,
"ecx": 1059452980
},
"exception": {
"instruction_r": "fb 68 cc 57 e1 0d 89 3c 24 c7 04 24 00 5e 63 77",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x1f67e2",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2058210,
"address": "0x3f2667e2"
}
},
"time": 1577731986.71875,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 17
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669364,
"edi": 4294944212,
"eax": 1447909480,
"ebp": 752906260,
"edx": 22104,
"ebx": 1975324853,
"esi": 1059487369,
"ecx": 20
},
"exception": {
"instruction_r": "ed 64 8f 05 00 00 00 00 52 50 89 0c 24 c7 04 24",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x1fb0bd",
"instruction": "in eax, dx",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2076861,
"address": "0x3f26b0bd"
}
},
"time": 1577731986.71875,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 22
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669364,
"edi": 4294944212,
"eax": 1,
"ebp": 752906260,
"edx": 22104,
"ebx": 0,
"esi": 1059487369,
"ecx": 20
},
"exception": {
"instruction_r": "0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x1fcf53",
"address": "0x3f26cf53",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc000001d",
"offset": 2084691
}
},
"time": 1577731986.71875,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 23
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669364,
"edi": 4294944212,
"eax": 1447909480,
"ebp": 752906260,
"edx": 22104,
"ebx": 2256917605,
"esi": 1059487369,
"ecx": 10
},
"exception": {
"instruction_r": "ed 81 fb 68 58 4d 56 75 0a c7 85 51 2a 2d 12 01",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x1fb77f",
"instruction": "in eax, dx",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2078591,
"address": "0x3f26b77f"
}
},
"time": 1577731986.71875,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 24
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 0,
"eax": 3669332,
"ebp": 752906260,
"edx": 2130511814,
"ebx": 1059522470,
"esi": 0,
"ecx": 1958
},
"exception": {
"instruction_r": "cd 01 eb 00 50 e8 0e 00 00 00 52 00 14 8c a5 75",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x20068e",
"instruction": "int 1",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000005",
"offset": 2098830,
"address": "0x3f27068e"
}
},
"time": 1577731986.87475,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 2798
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669372,
"edi": 1059527024,
"eax": 31743,
"ebp": 752906260,
"edx": 1110228515,
"ebx": 0,
"esi": 2283,
"ecx": 19
},
"exception": {
"instruction_r": "fb e9 17 07 00 00 81 f2 71 cf 64 13 01 d0 e9 3a",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x201135",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2101557,
"address": "0x3f271135"
}
},
"time": 1577731986.87475,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 2799
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669368,
"edi": 1059587425,
"eax": 26329,
"ebp": 752906260,
"edx": 6,
"ebx": 24097237,
"esi": 1975260176,
"ecx": 0
},
"exception": {
"instruction_r": "fb 56 89 04 24 b8 af b6 fe 5d 56 be a7 6a 36 32",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x2105f2",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2164210,
"address": "0x3f2805f2"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5307
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669372,
"edi": 1059590218,
"eax": 26329,
"ebp": 752906260,
"edx": 6,
"ebx": 24097237,
"esi": 322689,
"ecx": 0
},
"exception": {
"instruction_r": "fb 56 be 01 35 df 55 55 81 ec 04 00 00 00 89 3c",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x210b35",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2165557,
"address": "0x3f280b35"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5308
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669368,
"edi": 331898974,
"eax": 32972,
"ebp": 752906260,
"edx": 1059603666,
"ebx": 1072193759,
"esi": 1059912907,
"ecx": 2934042078
},
"exception": {
"instruction_r": "fb 81 c2 6b 04 f6 7f 50 b8 aa 42 ff 5f 05 a9 eb",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x214525",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2180389,
"address": "0x3f284525"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5309
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669372,
"edi": 331898974,
"eax": 453097,
"ebp": 752906260,
"edx": 1059606778,
"ebx": 1072193759,
"esi": 0,
"ecx": 2934042078
},
"exception": {
"instruction_r": "fb 51 89 34 24 89 14 24 89 1c 24 e9 0a f9 ff ff",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x214d4c",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2182476,
"address": "0x3f284d4c"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5310
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669372,
"edi": 331898974,
"eax": 1059641825,
"ebp": 752906260,
"edx": 1339480795,
"ebx": 1072193759,
"esi": 0,
"ecx": 1339480795
},
"exception": {
"instruction_r": "fb 68 39 58 4a 0d 89 14 24 89 2c 24 c7 04 24 64",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x216f19",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2191129,
"address": "0x3f286f19"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5311
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669372,
"edi": 331898974,
"eax": 1059614565,
"ebp": 752906260,
"edx": 1339480795,
"ebx": 1072193759,
"esi": 0,
"ecx": 262633
},
"exception": {
"instruction_r": "fb 56 e9 2d f9 ff ff 50 e9 00 00 00 00 89 24 24",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x216cde",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2190558,
"address": "0x3f286cde"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5312
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669360,
"edi": 331898974,
"eax": 31600,
"ebp": 752906260,
"edx": 1339480795,
"ebx": 1059624401,
"esi": 0,
"ecx": 448723875
},
"exception": {
"instruction_r": "fb e9 21 06 00 00 29 d8 5b e9 30 02 00 00 fb 29",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x219771",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2201457,
"address": "0x3f289771"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5314
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669364,
"edi": 331898974,
"eax": 31600,
"ebp": 752906260,
"edx": 1339480795,
"ebx": 1059656001,
"esi": 0,
"ecx": 448723875
},
"exception": {
"instruction_r": "fb 29 c0 ff 34 03 e9 4e 04 00 00 8b 34 24 83 c4",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x21977f",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2201471,
"address": "0x3f28977f"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5315
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669364,
"edi": 331898974,
"eax": 4294938508,
"ebp": 752906260,
"edx": 1339480795,
"ebx": 1059656001,
"esi": 0,
"ecx": 1173378408
},
"exception": {
"instruction_r": "fb e9 8e 02 00 00 45 81 f5 68 8f 18 3b 55 e9 1a",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x219d58",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2202968,
"address": "0x3f289d58"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5316
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669364,
"edi": 1059713698,
"eax": 31598,
"ebp": 752906260,
"edx": 2130566132,
"ebx": 1358981728,
"esi": 4294938816,
"ecx": 3348103168
},
"exception": {
"instruction_r": "fb 68 96 2b 5f 4e e9 9c fc ff ff 33 04 24 31 04",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x228013",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2261011,
"address": "0x3f298013"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5332
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669328,
"edi": 0,
"eax": 1059753667,
"ebp": 752906260,
"edx": 2130566132,
"ebx": 3348103168,
"esi": 1059749207,
"ecx": 3348103168
},
"exception": {
"instruction_r": "fb 05 86 b0 71 33 52 e9 4e 02 00 00 89 0c 24 b9",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x239821",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2332705,
"address": "0x3f2a9821"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5350
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 0,
"eax": 1059756714,
"ebp": 752906260,
"edx": 2130566132,
"ebx": 1955922272,
"esi": 1059749207,
"ecx": 0
},
"exception": {
"instruction_r": "fb 68 17 5a 60 3b 89 3c 24 51 b9 ce a1 fb 7f 89",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x239960",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2333024,
"address": "0x3f2a9960"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5351
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669328,
"edi": 0,
"eax": 26592,
"ebp": 752906260,
"edx": 2130566132,
"ebx": 1955922272,
"esi": 1059758816,
"ecx": 378324992
},
"exception": {
"instruction_r": "fb 50 51 b9 04 c5 9d 63 55 e9 94 f9 ff ff 8b 24",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x23aae5",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2337509,
"address": "0x3f2aaae5"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5352
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 0,
"eax": 26592,
"ebp": 752906260,
"edx": 2130566132,
"ebx": 1955922272,
"esi": 1059785408,
"ecx": 378324992
},
"exception": {
"instruction_r": "fb 50 c7 04 24 96 af 2d 39 f7 1c 24 81 2c 24 2b",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x23a70a",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2336522,
"address": "0x3f2aa70a"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5353
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 1392536160,
"eax": 26592,
"ebp": 752906260,
"edx": 2130566132,
"ebx": 1955922272,
"esi": 1059761720,
"ecx": 0
},
"exception": {
"instruction_r": "fb e9 09 00 00 00 59 8b 34 24 e9 f8 f9 ff ff 57",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x23aa18",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2337304,
"address": "0x3f2aaa18"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5354
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669328,
"edi": 0,
"eax": 28197,
"ebp": 752906260,
"edx": 1059762817,
"ebx": 447700966,
"esi": 1059761751,
"ecx": 0
},
"exception": {
"instruction_r": "fb 51 b9 9c 6b f7 2e 53 55 50 c7 04 24 b2 ed 02",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x23bcd8",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2342104,
"address": "0x3f2abcd8"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5355
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 0,
"eax": 28197,
"ebp": 752906260,
"edx": 1059765822,
"ebx": 447700966,
"esi": 1059761751,
"ecx": 4192193976
},
"exception": {
"instruction_r": "fb 57 83 ec 04 e9 c8 00 00 00 b9 27 37 fd 4f 21",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x23bb44",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2341700,
"address": "0x3f2abb44"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5356
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 0,
"eax": 1059769162,
"ebp": 752906260,
"edx": 0,
"ebx": 729390477,
"esi": 1059761751,
"ecx": 4192193976
},
"exception": {
"instruction_r": "fb 68 ae 9e 05 16 89 04 24 89 1c 24 89 14 24 55",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x23c7dc",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2344924,
"address": "0x3f2ac7dc"
}
},
"time": 1577731987.04675,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5357
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669328,
"edi": 0,
"eax": 30398,
"ebp": 752906260,
"edx": 0,
"ebx": 65802,
"esi": 1059761751,
"ecx": 1059784840
},
"exception": {
"instruction_r": "fb 52 57 89 0c 24 b9 b3 bb ef 5f 81 f1 87 dd 7d",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x240ce0",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2362592,
"address": "0x3f2b0ce0"
}
},
"time": 1577731987.06275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5359
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 0,
"eax": 30398,
"ebp": 752906260,
"edx": 0,
"ebx": 65802,
"esi": 1059761751,
"ecx": 1059815238
},
"exception": {
"instruction_r": "fb e9 ae 03 00 00 87 3c 24 5c e9 e9 06 00 00 89",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x240b61",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2362209,
"address": "0x3f2b0b61"
}
},
"time": 1577731987.06275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5360
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 4294940220,
"eax": 30398,
"ebp": 752906260,
"edx": 24811,
"ebx": 65802,
"esi": 1059761751,
"ecx": 1059815238
},
"exception": {
"instruction_r": "fb 56 be d3 b5 fe 5e e9 8a fd ff ff 81 e6 a6 8e",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x24106c",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2363500,
"address": "0x3f2b106c"
}
},
"time": 1577731987.06275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5361
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 4294940220,
"eax": 28032,
"ebp": 752906260,
"edx": 684007248,
"ebx": 65802,
"esi": 1059761751,
"ecx": 1059824913
},
"exception": {
"instruction_r": "fb 29 c0 ff 34 08 ff 34 24 5a 83 ec 04 89 2c 24",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x243cd0",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2374864,
"address": "0x3f2b3cd0"
}
},
"time": 1577731987.06275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5362
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 4294940220,
"eax": 4294942212,
"ebp": 752906260,
"edx": 15722838,
"ebx": 65802,
"esi": 1059761751,
"ecx": 1059824913
},
"exception": {
"instruction_r": "fb 52 c7 04 24 f7 b9 db 3b 89 04 24 68 eb 0e c5",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x243d6d",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2375021,
"address": "0x3f2b3d6d"
}
},
"time": 1577731987.06275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5363
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669328,
"edi": 1059806430,
"eax": 1059806944,
"ebp": 752906260,
"edx": 1647729462,
"ebx": 4282382272,
"esi": 63424,
"ecx": 0
},
"exception": {
"instruction_r": "fb e9 67 04 00 00 c1 ed 03 45 f7 dd 52 ba 0f a9",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x245f52",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2383698,
"address": "0x3f2b5f52"
}
},
"time": 1577731987.06275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5364
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 1059806430,
"eax": 1059833094,
"ebp": 752906260,
"edx": 1647729462,
"ebx": 4282382272,
"esi": 63424,
"ecx": 0
},
"exception": {
"instruction_r": "fb 57 c7 04 24 2c ee fc 3b f7 1c 24 68 32 a7 4e",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x2460a6",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2384038,
"address": "0x3f2b60a6"
}
},
"time": 1577731987.06275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5365
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 1059806430,
"eax": 1059833094,
"ebp": 752906260,
"edx": 1647729462,
"ebx": 4294944056,
"esi": 63424,
"ecx": 81129
},
"exception": {
"instruction_r": "fb e9 40 fb ff ff 55 89 14 24 89 34 24 68 c1 a8",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x246496",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2385046,
"address": "0x3f2b6496"
}
},
"time": 1577731987.06275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5366
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 1059806430,
"eax": 1059835275,
"ebp": 752906260,
"edx": 2130566132,
"ebx": 2147483650,
"esi": 0,
"ecx": 14412117
},
"exception": {
"instruction_r": "fb 50 52 ba 93 6f 7a 79 b8 47 b2 97 0a 31 d0 5a",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x24c923",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2410787,
"address": "0x3f2bc923"
}
},
"time": 1577731987.06275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5375
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 4294941596,
"eax": 28600,
"ebp": 752906260,
"edx": 607947090,
"ebx": 1742816568,
"esi": 0,
"ecx": 1059864232
},
"exception": {
"instruction_r": "fb 83 ec 04 89 0c 24 53 89 e3 50 b8 00 9e ff 66",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x24d4f2",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2413810,
"address": "0x3f2bd4f2"
}
},
"time": 1577731987.06275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5376
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 1059934713,
"eax": 27270,
"ebp": 752906260,
"edx": 2130566132,
"ebx": 1059893076,
"esi": 3784684,
"ecx": 1059973772
},
"exception": {
"instruction_r": "fb e9 a8 02 00 00 05 d3 65 fa 5f 2d d7 d3 45 16",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x268775",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2525045,
"address": "0x3f2d8775"
}
},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5445
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 1059934713,
"eax": 0,
"ebp": 752906260,
"edx": 80171094,
"ebx": 1059893076,
"esi": 3784684,
"ecx": 1059949836
},
"exception": {
"instruction_r": "fb 52 e9 00 00 00 00 ba 4b 10 d7 6e 89 d3 e9 98",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x268b86",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2526086,
"address": "0x3f2d8b86"
}
},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5446
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 4294944272,
"eax": 3924003155,
"ebp": 752906260,
"edx": 1059976102,
"ebx": 374314622,
"esi": 3784684,
"ecx": 1059949836
},
"exception": {
"instruction_r": "fb 53 c7 04 24 0f cb 3d 1d 89 3c 24 50 c7 04 24",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x269485",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2528389,
"address": "0x3f2d9485"
}
},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5447
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669328,
"edi": 35088,
"eax": 28768,
"ebp": 752906260,
"edx": 2130566132,
"ebx": 1059954518,
"esi": 1059990074,
"ecx": 3348103168
},
"exception": {
"instruction_r": "fb e9 4b 00 00 00 53 57 e9 cb 02 00 00 89 e2 81",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x272d7b",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2567547,
"address": "0x3f2e2d7b"
}
},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5464
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 35088,
"eax": 4294941528,
"ebp": 752906260,
"edx": 2130566132,
"ebx": 604277074,
"esi": 1060018842,
"ecx": 3348103168
},
"exception": {
"instruction_r": "fb e9 77 01 00 00 83 c4 04 e9 e8 03 00 00 50 89",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x272e5e",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2567774,
"address": "0x3f2e2e5e"
}
},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5465
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669332,
"edi": 10528,
"eax": 1491686993,
"ebp": 752906260,
"edx": 2130566132,
"ebx": 1059994470,
"esi": 0,
"ecx": 1060063228
},
"exception": {
"instruction_r": "fb 53 e9 cb fc ff ff 5f 8b 04 24 57 e9 00 00 00",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x2847a4",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2639780,
"address": "0x3f2f47a4"
}
},
"time": 1577731987.09375,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5499
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669328,
"edi": 10528,
"eax": 1060063558,
"ebp": 752906260,
"edx": 628567343,
"ebx": 1059994470,
"esi": 0,
"ecx": 1060063228
},
"exception": {
"instruction_r": "fb 51 b9 0f e9 f9 7b 41 e9 b9 fd ff ff 29 c7 e9",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x284d26",
"instruction": "sti",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2641190,
"address": "0x3f2f4d26"
}
},
"time": 1577731987.09375,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5500
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 0,
"families": [],
"description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
"severity": 2,
"marks": [],
"references": [],
"name": "dumped_buffer"
},
{
"markcount": 20,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77c2f000"
},
"time": 1577731987.09375,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 5496
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77ba0000"
},
"time": 1577731987.09375,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 5498
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 16384,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x3f071000"
},
"time": 1577731987.12475,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 5565
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004e0000"
},
"time": 1577731987.12475,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5593
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00780000"
},
"time": 1577731987.12475,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5594
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x007d0000"
},
"time": 1577731987.12475,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5595
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01eb0000"
},
"time": 1577731987.12475,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5596
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01ec0000"
},
"time": 1577731987.12475,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5597
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01ec0000"
},
"time": 1577731987.12475,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5599
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02050000"
},
"time": 1577731987.14075,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 5600
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77c2f000"
},
"time": 1577731987.765375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 5346
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77ba0000"
},
"time": 1577731987.765375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 5348
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 16384,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x3f311000"
},
"time": 1577731987.796375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2056,
"type": "call",
"cid": 5419
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01ca0000"
},
"time": 1577731987.812375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 5447
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01cb0000"
},
"time": 1577731987.812375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 5448
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01d00000"
},
"time": 1577731987.812375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 5449
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01d10000"
},
"time": 1577731987.812375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 5450
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01d60000"
},
"time": 1577731987.812375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 5451
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01d60000"
},
"time": 1577731987.812375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 5453
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01db0000"
},
"time": 1577731987.812375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 5454
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "A process attempted to delay the analysis task.",
"severity": 2,
"marks": [
{
"type": "generic",
"description": "plugin.exe tried to sleep 1044 seconds, actually delayed analysis time by 1044 seconds"
}
],
"references": [],
"name": "antisandbox_sleep"
},
{
"markcount": 1,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "GetAdaptersAddresses",
"return_value": 111,
"arguments": {
"flags": 15,
"family": 0
},
"time": 1577731996.780375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5971
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 4,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.939077313744508,
"section": {
"size_of_data": "0x00004000",
"virtual_address": "0x00001000",
"entropy": 7.939077313744508,
"name": " \\x00 ",
"virtual_size": "0x0000a000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 7.937317964161823,
"section": {
"size_of_data": "0x00004400",
"virtual_address": "0x0000b000",
"entropy": 7.937317964161823,
"name": ".rsrc",
"virtual_size": "0x0005a71a"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 7.446764697645025,
"section": {
"size_of_data": "0x001f8400",
"virtual_address": "0x00301000",
"entropy": 7.446764697645025,
"name": "czjzjtyj",
"virtual_size": "0x001f9000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.9992688276870583,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 2,
"families": [],
"description": "Allocates execute permission to another process indicative of possible code injection",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2316,
"region_size": 5222400,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000168",
"allocation_type": 12288,
"base_address": "0x002e0000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2056,
"type": "call",
"cid": 5551
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2316,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000168",
"allocation_type": 12288,
"base_address": "0x000b0000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2056,
"type": "call",
"cid": 5552
}
],
"references": [],
"name": "allocates_execute_remote_process"
},
{
"markcount": 3,
"families": [],
"description": "Checks for the presence of known devices from debuggers and forensic tools",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "\\??\\SICE",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "\\??\\SIWVID",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "\\??\\NTICE",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antidbg_devices"
},
{
"markcount": 358,
"families": [],
"description": "Checks for the presence of known windows from debuggers and forensic tools",
"severity": 3,
"marks": [
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1577731987.06275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5377
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1577731987.06275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5378
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1577731987.06275,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5379
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5448
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5448
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "File Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5449
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5450
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Process Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5451
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "RegmonClass",
"window_name": ""
},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5466
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "RegmonClass",
"window_name": ""
},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5466
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Registry Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5467
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "18467-41",
"window_name": ""
},
"time": 1577731987.07775,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5468
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1577731987.10975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5551
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1577731987.10975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5551
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "File Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1577731987.10975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5552
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1577731987.10975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5553
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Process Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1577731987.10975,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5554
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1577731987.734375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5231
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1577731987.734375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5232
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1577731987.734375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5233
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1577731987.749375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5298
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1577731987.749375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5298
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "File Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1577731987.749375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5299
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1577731987.749375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5300
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Process Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1577731987.749375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5301
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "RegmonClass",
"window_name": ""
},
"time": 1577731987.765375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5316
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "RegmonClass",
"window_name": ""
},
"time": 1577731987.765375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5316
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Registry Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1577731987.765375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5317
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "18467-41",
"window_name": ""
},
"time": 1577731987.765375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5318
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1577731987.796375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5405
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1577731987.796375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5405
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "File Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1577731987.796375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5406
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1577731987.796375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5407
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Process Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1577731987.796375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5408
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1577731989.843375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5489
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1577731989.843375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5490
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1577731989.843375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5491
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Regmonclass",
"window_name": ""
},
"time": 1577731991.827375,
"tid": 2516,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5499
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Regmonclass",
"window_name": ""
},
"time": 1577731991.827375,
"tid": 2516,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5499
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1577731991.859375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5503
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1577731991.859375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5504
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1577731991.859375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5505
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "18467-41",
"window_name": ""
},
"time": 1577731992.140375,
"tid": 2516,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5513
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Filemonclass",
"window_name": ""
},
"time": 1577731992.452375,
"tid": 2516,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5515
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Filemonclass",
"window_name": ""
},
"time": 1577731992.452375,
"tid": 2516,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5515
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1577731992.452375,
"tid": 2516,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5516
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1577731993.968375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5587
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1577731993.968375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5588
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1577731993.968375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5589
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1577731995.984375,
"tid": 1468,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5952
}
],
"references": [],
"name": "antidbg_windows"
},
{
"markcount": 2,
"families": [],
"description": "Checks the version of Bios, possibly for anti-virtualization",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_generic_bios"
},
{
"markcount": 1,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell",
"reg_value": "explorer.exe, \"C:\\ProgramData\\UBlockPlugin\\plugin.exe\""
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 1,
"families": [],
"description": "Deletes executed files from disk",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "C:\\ProgramData\\UBlockPlugin\\plugin.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "deletes_executed_files"
},
{
"markcount": 3,
"families": [],
"description": "Manipulates memory of a non-child process indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2056 manipulating memory of non-child process 2316",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2316,
"region_size": 5222400,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000168",
"allocation_type": 12288,
"base_address": "0x002e0000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2056,
"type": "call",
"cid": 5551
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2316,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000168",
"allocation_type": 12288,
"base_address": "0x000b0000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2056,
"type": "call",
"cid": 5552
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_modifies_memory"
},
{
"markcount": 7,
"families": [],
"description": "Potential code injection by writing to the memory of another process",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2056 injected into non-child 2316",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c8\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00d5\u0000\u00a9a\u0091a\u00c72\u0091a\u00c72\u0091a\u00c72\u0098\u0019T2\u0099a\u00c72\u0091a\u00c62\u00bda\u00c72Rn\u009a2\u0092a\u00c72\u0007\b\u00ce3\u00b0a\u00c72\u0007\b\u00c53\u0090a\u00c72Rich\u0091a\u00c72\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0006\u0000\u00b2`\u0001^\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0002!\u000b\u0001\u000e\u0010\u0000Z\u0000\u0000\u0000\u00d2\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u00a0O\u0000\u0000\u0010\u0000\u0000\u0000p\u0000\u0000\u0000\u0000\u0000@\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00b0O\u0000\u0000\u0004\u0000\u0000\u009f\u009b \u0000\u0002\u0000@\u0080\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000m`\u0006\u0000\u0095\u0000\u0000\u0000\u0000\u00b0\u0000\u0000\u001a\u00a7\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f8a\u0006\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000 \u0000\u00a0\u0000\u0000\u0000\u0010\u0000\u0000\u0000@\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0.rsrc\u0000\u0000\u0000\u001a\u00a7\u0005\u0000\u0000\u00b0\u0000\u0000\u0000D\u0000\u0000\u0000P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.idata \u0000\u0010\u0000\u0000\u0000`\u0006\u0000\u0000\u0002\u0000\u0000\u0000\u0094\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0 \u0000\u00a0)\u0000\u0000p\u0006\u0000\u0000\u0002\u0000\u0000\u0000\u0096\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0czjzjtyj\u0000\u0090\u001f\u0000\u0000\u00100\u0000\u0000\u0084\u001f\u0000\u0000\u0098\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0pdsijnhx\u0000\u0010\u0000\u0000\u0000\u00a0O\u0000\u0000\u0002\u0000\u0000\u0000\u001c \u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000168",
"base_address": "0x002e0000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5553
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000lstrcpy\u0000\u0000\u0000InitCommonControls\u0000\u0014`\u0006\u0000\u0000\u0000\u0000\u0000\u001e`\u0006\u0000\u0000\u0000\u0000\u0000\u0014`\u0006\u0000\u0000\u0000\u0000\u0000\u001e`\u0006\u0000\u0000\u0000\u0000\u0000kernel32.dll\u0000comctl32.dll\u0000C`\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000S`\u0006\u00003`\u0006\u0000K`\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000``\u0006\u0000;`\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000",
"process_handle": "0x00000168",
"base_address": "0x00346000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5556
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "\u00d6,\u0006\u0082J\u00ec\u0004\u0000r\u00c1\u0004\u0000r!\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000168",
"base_address": "0x00347000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5557
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "VPS\u00e8\u0001\u0000\u0000\u0000\u00ccX\u0089\u00c3@-\u0000\u0090\u001f\u0000-D\u0017\f\u0010\u0005;\u0017\f\u0010\u0080;\u00ccu\u0019\u00c6\u0003\u0000\u00bb\u0000\u0010\u0000\u0000h\u00ba\u00cb\u00de\u0015h_\u00dcpbSP\u00e8\n\u0000\u0000\u0000\u0083\u00c0\u0000\u0089D$\b[X\u00c3U\u0089\u00e5PSQV\u008bu\b\u008bM\f\u00c1\u00e9\u0002\u008bE\u0010\u008b]\u0014\u0085\u00c9t\n1\u0006\u0001\u001e\u0083\u00c6\u0004I\u00eb\u00f2^Y[X\u00c9\u00c2\u0010\u0000\u0087Gm\u00a4\u0093\u0090\u001f\u00d4\u00a1\u00db\u0098]\u0086\u00c2\u008f\u00983\u00a1(\u009eQ\u0010\u00d55\u0007\u00b5\u00a4F{\u00e3\u0096M\u00b2F\u00fbL\u00aakg\u001aE\u0012:\u0087\u00ac\u0017Zkr\u00bb}\u0000\u00a5cW\u0089,$\u00bd\u0085!\u00a0\u00171\u00eb]S\u0081,$\u00ea0yW\u008b\u0014$\u0083\u00c4\u0004\u0081\u00c2\u00ea0yW)\u00f3\u00b9<\u0016q9\u0081\u00e9\u008f\u0001\u00e47\u0081\u00e1\u00977\u0084\n\u0081\u00e9\u00ab\u0015\u008e|\u00c1\u00e1\u0003I\u0081\u00f1N\u00d6\u00c0\u00051\u00cb1\u00e1\u0083\u00ea\u0001R\u00ff\f$Z\u00c1\u00ea\u0005\u00c1\u00ea\b\u0081\u00e2\u00b78\u00a2d\u0081\u00f2\u001c\u0091D\u00a3\u0089\u00d1\u0089\u00c8\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000168",
"base_address": "0x007da000"
},
"time": 1577731993.968375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5559
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "\u0000\u0000.\u0000\u00f8a4\u0000m`4\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000168",
"base_address": "0x000b0000"
},
"time": 1577731993.968375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5575
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "U\u008b\u00ec\u0083\u00e4\u00f8\u0083\u00ec,SV\u008bu\bW\u008b\u001e\u008b~\u0004\u008bC<\u0003\u00c3\u0089D$\u001c+X4\u0083?\u0000t_\u008dG\u0004\u0089D$\u0014\u008b\u0000\u0083\u00f8\brF\u0083\u00c0\u00f8\u00d1\u00e8\u0089D$\u0010\u00ba\u0000\u0000\u0000\u0000t6\u000f\u00b7DW\b\u008b\u00c8\u00c1\u00e8\f\u0081\u00e1\u00ff\u000f\u0000\u0000\u0083\u00f8\u0003t\u0013\u0083\u00f8\nu\u0015\u008b\u0007\u0003\u0006\u0003\u00c1\u0001\u0018\u0083P\u0004\u0000\u00eb\u0007\u008b\u0007\u0003\u0006\u0001\u001c\bB;T$\u0010r\u00ca\u008bD$\u0014\u00038\u0083?\u0000u\u00a1\u008b^\b\u0089\\$\u0010\u008bK\f\u0085\u00c9\u000f\u0084\u00a2\u0000\u0000\u0000\u008b\u0006\u0003\u00c1P\u008dD$4P\u008bF\f\u00ff\u00d0j\u0001\u008dD$4P\u008dD$(P\u008bF\u0010\u00ff\u00d0\u008dD$\u0014P\u008dD$$P\u008bF\u0014j\u0000j\u0000\u00ff\u00d0\u008dD$ P\u008bF\u001c\u00ff\u00d0\u008b;\u0003>\u008b[\u0010\u0003\u001e\u008b\u000f\u0085\u00c9t@y\u0005\u000f\u00b7\u00c1\u00eb\u0007\u008b\u0006\u0083\u00c0\u0002\u0003\u00c1P\u008dD$,P\u008bF\f\u00ff\u00d0\u008dD$\u0018Pj\u0000\u008dD$0P\u00fft$ \u008bF\u0018\u00ff\u00d0\u008bD$\u0018\u0083\u00c7\u0004\u0089\u0003\u008b\u000f\u0083\u00c3\u0004\u0085\u00c9u\u00c0\u008b\\$\u0010\u0083\u00c3\u0014\u0089\\$\u0010\u008bK\f\u0085\u00c9\u000f\u0085^\u00ff\u00ff\u00ff\u008bD$\u001c\u008b\u000e\u008b@(j\u0000j\u0001Q\u0003\u00c1\u00ff\u00d0_^3\u00c0[\u008b\u00e5]\u00c2\u0004\u0000\u00cc\u00cc\u00cc\u00cc\u00cc\u00cc\u00cc\u00cc\u00cc\u00cc\u00cc",
"process_handle": "0x00000168",
"base_address": "0x000b0020"
},
"time": 1577731993.968375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5576
}
],
"references": [],
"name": "injection_write_memory"
},
{
"markcount": 2,
"families": [],
"description": "Code injection by writing an executable or DLL to the memory of another process",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2056 injected into non-child 2316",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c8\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00d5\u0000\u00a9a\u0091a\u00c72\u0091a\u00c72\u0091a\u00c72\u0098\u0019T2\u0099a\u00c72\u0091a\u00c62\u00bda\u00c72Rn\u009a2\u0092a\u00c72\u0007\b\u00ce3\u00b0a\u00c72\u0007\b\u00c53\u0090a\u00c72Rich\u0091a\u00c72\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0006\u0000\u00b2`\u0001^\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0002!\u000b\u0001\u000e\u0010\u0000Z\u0000\u0000\u0000\u00d2\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u00a0O\u0000\u0000\u0010\u0000\u0000\u0000p\u0000\u0000\u0000\u0000\u0000@\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00b0O\u0000\u0000\u0004\u0000\u0000\u009f\u009b \u0000\u0002\u0000@\u0080\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000m`\u0006\u0000\u0095\u0000\u0000\u0000\u0000\u00b0\u0000\u0000\u001a\u00a7\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f8a\u0006\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000 \u0000\u00a0\u0000\u0000\u0000\u0010\u0000\u0000\u0000@\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0.rsrc\u0000\u0000\u0000\u001a\u00a7\u0005\u0000\u0000\u00b0\u0000\u0000\u0000D\u0000\u0000\u0000P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.idata \u0000\u0010\u0000\u0000\u0000`\u0006\u0000\u0000\u0002\u0000\u0000\u0000\u0094\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0 \u0000\u00a0)\u0000\u0000p\u0006\u0000\u0000\u0002\u0000\u0000\u0000\u0096\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0czjzjtyj\u0000\u0090\u001f\u0000\u0000\u00100\u0000\u0000\u0084\u001f\u0000\u0000\u0098\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0pdsijnhx\u0000\u0010\u0000\u0000\u0000\u00a0O\u0000\u0000\u0002\u0000\u0000\u0000\u001c \u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000168",
"base_address": "0x002e0000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5553
}
],
"references": [],
"name": "injection_write_memory_exe"
},
{
"markcount": 2,
"families": [],
"description": "Expresses interest in specific running processes",
"severity": 3,
"marks": [
{
"category": "process",
"ioc": "system",
"type": "ioc",
"description": null
},
{
"category": "process: potential process injection target",
"ioc": "explorer.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "process_interest"
},
{
"markcount": 2,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2056 resumed a thread in remote process 0",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 127,
"nt_status": -1073741511,
"api": "NtResumeThread",
"return_value": 3221225508,
"arguments": {
"thread_handle": "0x00000168",
"suspend_count": 360,
"process_identifier": 0
},
"time": 1577731993.968375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5578
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
},
{
"markcount": 1,
"families": [],
"description": "Detects VirtualBox through the presence of a registry key",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_vbox_keys"
},
{
"markcount": 1,
"families": [],
"description": "Detects VMWare through the in instruction feature",
"severity": 3,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 3669364,
"edi": 4294944212,
"eax": 1447909480,
"ebp": 752906260,
"edx": 22104,
"ebx": 1975324853,
"esi": 1059487369,
"ecx": 20
},
"exception": {
"instruction_r": "ed 64 8f 05 00 00 00 00 52 50 89 0c 24 c7 04 24",
"symbol": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f+0x1fb0bd",
"instruction": "in eax, dx",
"module": "8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin",
"exception_code": "0xc0000096",
"offset": 2076861,
"address": "0x3f26b0bd"
}
},
"time": 1577731986.71875,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 22
}
],
"references": [],
"name": "antivm_vmware_in_instruction"
},
{
"markcount": 1,
"families": [],
"description": "Detects the presence of Wine emulator",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Wine",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antiemu_wine"
},
{
"markcount": 15,
"families": [],
"description": "Executed a process and injected code into it, probably while unpacking",
"severity": 5,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2804,
"thread_handle": "0x00000138",
"process_identifier": 2056,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\ProgramData\\UBlockPlugin\\plugin.exe \"C:\\Users\\cuck\\AppData\\Local\\Temp\\8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f.bin\" ensgJJ",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 0,
"process_handle": "0x0000013c",
"inherit_handles": 0
},
"time": 1577731987.17175,
"tid": 2736,
"flags": {
"creation_flags": ""
}
},
"pid": 1664,
"type": "call",
"cid": 5653
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2876,
"thread_handle": "0x00000164",
"process_identifier": 2316,
"current_directory": "",
"filepath": "C:\\Windows\\System32\\secinit.exe",
"track": 1,
"command_line": "C:\\ProgramData\\UBlockPlugin\\plugin.exe",
"filepath_r": "C:\\Windows\\system32\\secinit.exe",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000168",
"inherit_handles": 0
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 2056,
"type": "call",
"cid": 5546
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2316,
"region_size": 5222400,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000168",
"allocation_type": 12288,
"base_address": "0x002e0000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2056,
"type": "call",
"cid": 5551
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2316,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000168",
"allocation_type": 12288,
"base_address": "0x000b0000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2056,
"type": "call",
"cid": 5552
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c8\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00d5\u0000\u00a9a\u0091a\u00c72\u0091a\u00c72\u0091a\u00c72\u0098\u0019T2\u0099a\u00c72\u0091a\u00c62\u00bda\u00c72Rn\u009a2\u0092a\u00c72\u0007\b\u00ce3\u00b0a\u00c72\u0007\b\u00c53\u0090a\u00c72Rich\u0091a\u00c72\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0006\u0000\u00b2`\u0001^\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0002!\u000b\u0001\u000e\u0010\u0000Z\u0000\u0000\u0000\u00d2\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u00a0O\u0000\u0000\u0010\u0000\u0000\u0000p\u0000\u0000\u0000\u0000\u0000@\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00b0O\u0000\u0000\u0004\u0000\u0000\u009f\u009b \u0000\u0002\u0000@\u0080\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000m`\u0006\u0000\u0095\u0000\u0000\u0000\u0000\u00b0\u0000\u0000\u001a\u00a7\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f8a\u0006\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000 \u0000\u00a0\u0000\u0000\u0000\u0010\u0000\u0000\u0000@\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0.rsrc\u0000\u0000\u0000\u001a\u00a7\u0005\u0000\u0000\u00b0\u0000\u0000\u0000D\u0000\u0000\u0000P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.idata \u0000\u0010\u0000\u0000\u0000`\u0006\u0000\u0000\u0002\u0000\u0000\u0000\u0094\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0 \u0000\u00a0)\u0000\u0000p\u0006\u0000\u0000\u0002\u0000\u0000\u0000\u0096\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0czjzjtyj\u0000\u0090\u001f\u0000\u0000\u00100\u0000\u0000\u0084\u001f\u0000\u0000\u0098\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0pdsijnhx\u0000\u0010\u0000\u0000\u0000\u00a0O\u0000\u0000\u0002\u0000\u0000\u0000\u001c \u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00e0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000168",
"base_address": "0x002e0000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5553
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "0bf13a18358c613970ad4ee8ee481d6a9a5bcfa0",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "",
"process_handle": "0x00000168",
"base_address": "0x002e1000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5554
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "52bc2b9a297999754a185feb535147d55c3816ac",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "",
"process_handle": "0x00000168",
"base_address": "0x002eb000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5555
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000lstrcpy\u0000\u0000\u0000InitCommonControls\u0000\u0014`\u0006\u0000\u0000\u0000\u0000\u0000\u001e`\u0006\u0000\u0000\u0000\u0000\u0000\u0014`\u0006\u0000\u0000\u0000\u0000\u0000\u001e`\u0006\u0000\u0000\u0000\u0000\u0000kernel32.dll\u0000comctl32.dll\u0000C`\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000S`\u0006\u00003`\u0006\u0000K`\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000``\u0006\u0000;`\u0006\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000",
"process_handle": "0x00000168",
"base_address": "0x00346000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5556
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "\u00d6,\u0006\u0082J\u00ec\u0004\u0000r\u00c1\u0004\u0000r!\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000168",
"base_address": "0x00347000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5557
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "a54c9a3a1041375f45ca678fed683253fff76f09",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "",
"process_handle": "0x00000168",
"base_address": "0x005e1000"
},
"time": 1577731993.109375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5558
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "VPS\u00e8\u0001\u0000\u0000\u0000\u00ccX\u0089\u00c3@-\u0000\u0090\u001f\u0000-D\u0017\f\u0010\u0005;\u0017\f\u0010\u0080;\u00ccu\u0019\u00c6\u0003\u0000\u00bb\u0000\u0010\u0000\u0000h\u00ba\u00cb\u00de\u0015h_\u00dcpbSP\u00e8\n\u0000\u0000\u0000\u0083\u00c0\u0000\u0089D$\b[X\u00c3U\u0089\u00e5PSQV\u008bu\b\u008bM\f\u00c1\u00e9\u0002\u008bE\u0010\u008b]\u0014\u0085\u00c9t\n1\u0006\u0001\u001e\u0083\u00c6\u0004I\u00eb\u00f2^Y[X\u00c9\u00c2\u0010\u0000\u0087Gm\u00a4\u0093\u0090\u001f\u00d4\u00a1\u00db\u0098]\u0086\u00c2\u008f\u00983\u00a1(\u009eQ\u0010\u00d55\u0007\u00b5\u00a4F{\u00e3\u0096M\u00b2F\u00fbL\u00aakg\u001aE\u0012:\u0087\u00ac\u0017Zkr\u00bb}\u0000\u00a5cW\u0089,$\u00bd\u0085!\u00a0\u00171\u00eb]S\u0081,$\u00ea0yW\u008b\u0014$\u0083\u00c4\u0004\u0081\u00c2\u00ea0yW)\u00f3\u00b9<\u0016q9\u0081\u00e9\u008f\u0001\u00e47\u0081\u00e1\u00977\u0084\n\u0081\u00e9\u00ab\u0015\u008e|\u00c1\u00e1\u0003I\u0081\u00f1N\u00d6\u00c0\u00051\u00cb1\u00e1\u0083\u00ea\u0001R\u00ff\f$Z\u00c1\u00ea\u0005\u00c1\u00ea\b\u0081\u00e2\u00b78\u00a2d\u0081\u00f2\u001c\u0091D\u00a3\u0089\u00d1\u0089\u00c8\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000168",
"base_address": "0x007da000"
},
"time": 1577731993.968375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5559
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "\u0000\u0000.\u0000\u00f8a4\u0000m`4\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000168",
"base_address": "0x000b0000"
},
"time": 1577731993.968375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5575
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2316,
"buffer": "U\u008b\u00ec\u0083\u00e4\u00f8\u0083\u00ec,SV\u008bu\bW\u008b\u001e\u008b~\u0004\u008bC<\u0003\u00c3\u0089D$\u001c+X4\u0083?\u0000t_\u008dG\u0004\u0089D$\u0014\u008b\u0000\u0083\u00f8\brF\u0083\u00c0\u00f8\u00d1\u00e8\u0089D$\u0010\u00ba\u0000\u0000\u0000\u0000t6\u000f\u00b7DW\b\u008b\u00c8\u00c1\u00e8\f\u0081\u00e1\u00ff\u000f\u0000\u0000\u0083\u00f8\u0003t\u0013\u0083\u00f8\nu\u0015\u008b\u0007\u0003\u0006\u0003\u00c1\u0001\u0018\u0083P\u0004\u0000\u00eb\u0007\u008b\u0007\u0003\u0006\u0001\u001c\bB;T$\u0010r\u00ca\u008bD$\u0014\u00038\u0083?\u0000u\u00a1\u008b^\b\u0089\\$\u0010\u008bK\f\u0085\u00c9\u000f\u0084\u00a2\u0000\u0000\u0000\u008b\u0006\u0003\u00c1P\u008dD$4P\u008bF\f\u00ff\u00d0j\u0001\u008dD$4P\u008dD$(P\u008bF\u0010\u00ff\u00d0\u008dD$\u0014P\u008dD$$P\u008bF\u0014j\u0000j\u0000\u00ff\u00d0\u008dD$ P\u008bF\u001c\u00ff\u00d0\u008b;\u0003>\u008b[\u0010\u0003\u001e\u008b\u000f\u0085\u00c9t@y\u0005\u000f\u00b7\u00c1\u00eb\u0007\u008b\u0006\u0083\u00c0\u0002\u0003\u00c1P\u008dD$,P\u008bF\f\u00ff\u00d0\u008dD$\u0018Pj\u0000\u008dD$0P\u00fft$ \u008bF\u0018\u00ff\u00d0\u008bD$\u0018\u0083\u00c7\u0004\u0089\u0003\u008b\u000f\u0083\u00c3\u0004\u0085\u00c9u\u00c0\u008b\\$\u0010\u0083\u00c3\u0014\u0089\\$\u0010\u008bK\f\u0085\u00c9\u000f\u0085^\u00ff\u00ff\u00ff\u008bD$\u001c\u008b\u000e\u008b@(j\u0000j\u0001Q\u0003\u00c1\u00ff\u00d0_^3\u00c0[\u008b\u00e5]\u00c2\u0004\u0000\u00cc\u00cc\u00cc\u00cc\u00cc\u00cc\u00cc\u00cc\u00cc\u00cc\u00cc",
"process_handle": "0x00000168",
"base_address": "0x000b0020"
},
"time": 1577731993.968375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5576
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 127,
"nt_status": -1073741511,
"api": "NtResumeThread",
"return_value": 3221225508,
"arguments": {
"thread_handle": "0x00000168",
"suspend_count": 360,
"process_identifier": 0
},
"time": 1577731993.968375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5578
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000001b8",
"suspend_count": 1,
"process_identifier": 2056
},
"time": 1577731994.515375,
"tid": 2804,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 5759
}
],
"references": [],
"name": "injection_runpe"
}
]Yara
[
{
"meta": {
"description": "Possibly employs anti-virtualization techniques",
"author": "nex"
},
"name": "vmdetect",
"offsets": {
"virtualpc": [
[
939410,
0
]
]
},
"strings": [
"Dz8HCw=="
]
}
]Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.152010917663574,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 9114,
"time": 9.14145803451538,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10958,
"time": 3.027930974960327,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 11286,
"time": 1.0417768955230713,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 11614,
"time": 3.147831916809082,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 11942,
"time": 1.6105270385742188,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 12270,
"time": -0.09787511825561523,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 12598,
"time": 1.5798299312591553,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 32008,
"time": 1.0626380443572998,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 40392,
"time": 3.138936996459961,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "13f9c70b6ffdba4b2a923e18b48fdb39ed25d7382101ad5ca9e31cd33625055f",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "876df8dd67c8fd5d3b5c9c7e5e6e26f44691e6461d8aedfb6ba5e46bfcc8ffdc",
"irc": [],
"https_ex": []
}Screenshots
45gredcs.exe removal instructions
The instructions below shows how to remove 45gredcs.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the 45gredcs.exe file for removal, restart your computer and scan it again to verify that 45gredcs.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate 45gredcs.exe in the scan result and tick the checkbox next to the 45gredcs.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate 45gredcs.exe in the scan result.
C:\ProgramData\UBlockPlugin\45gredcs.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the 45gredcs.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If 45gredcs.exe still remains in the scan result, proceed with the next step. If 45gredcs.exe is gone from the scan result you're done.
- If 45gredcs.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that 45gredcs.exe no longer appear in the scan result.
Filename variants
45gredcs.exe may also use other filenames. The most common variants are listed below:
- plugin.exe
Folder name variants
45gredcs.exe may also be located in other folders than C:\ProgramData\UBlockPlugin\. The most common variants are listed below:
- c:\users\%USERNAME%\appdata\roaming\
Hashes [?]
| Property | Value |
|---|---|
| MD5 | cfe430475fe152057fb6690ea227c6d1 |
| SHA256 | 8a1702f42123de7ef92a4945d5daa256bf20181fbcc30c62e96c4241b550a03f |
Error Messages
These are some of the error messages that can appear related to 45gredcs.exe:
45gredcs.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
45gredcs.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
45gredcs.exe has stopped working.
End Program - 45gredcs.exe. This program is not responding.
45gredcs.exe is not a valid Win32 application.
45gredcs.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with 45gredcs.exe?
To help other users, please let us know what you will do with 45gredcs.exe:
What did other users do?
The poll result listed below shows what users chose to do with 45gredcs.exe. 100% have voted for removal. Based on votes from 2 users.
| Votes | |||
|---|---|---|---|
| Keep | 0 % | 0 | |
| Remove | 100 % | 2 |
NOTE: Please do not use this poll as the only source of input to determine what you will do with 45gredcs.exe. Only 2 users has voted so far so it does not offer a high degree of confidence.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.