What is CcavGuard64.dll?

CcavGuard64.dll is part of COMODO Cloud Antivirus and developed by COMODO according to the CcavGuard64.dll version information.

CcavGuard64.dll's description is "COMODO Cloud Antivirus"

CcavGuard64.dll is digitally signed by Comodo Security Solutions, Inc..

CcavGuard64.dll is usually located in the 'C:\Windows\system32\' folder.

None of the anti-virus scanners at VirusTotal reports anything malicious about CcavGuard64.dll.

If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.

Vendor and version information [?]

The following is the available information on CcavGuard64.dll:

PropertyValue
Product nameCOMODO Cloud Antivirus
Company nameCOMODO
File descriptionCOMODO Cloud Antivirus
Legal copyright2005-2018 COMODO. All rights reserved.
Product version1, 21, 465847, 842
File version1, 21, 465847, 842

Here's a screenshot of the file properties when displayed by Windows Explorer:

Product nameCOMODO Cloud Antivirus
Company nameCOMODO
File descriptionCOMODO Cloud Antivirus
Legal copyright2005-2018 COMODO. All rights reserved.
Product version1, 21, 465847, 842
File version1, 21, 465847, 842

Digital signatures [?]

CcavGuard64.dll has a valid digital signature.

PropertyValue
Signer nameComodo Security Solutions, Inc.
Certificate issuer nameCOMODO Code Signing CA 2
Certificate serial number00c5144cf5e535f748a9afa6fc384c0775

VirusTotal report

None of the 61 anti-virus programs at VirusTotal detected the CcavGuard64.dll file.

None of the 61 anti-virus programs detected the CcavGuard64.dll file.

Sandbox Report

The following information was gathered by executing the file inside Cuckoo Sandbox.

Summary

Successfully executed process in sandbox.

Summary

{
    "file_recreated": [
        "\\??\\C:"
    ],
    "dll_loaded": [
        "kernel32",
        "FLTLIB.DLL",
        "api-ms-win-core-fibers-l1-1-1",
        "api-ms-win-core-localization-l1-2-1",
        "USER32.dll",
        "ntdll.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll",
        "api-ms-win-core-synch-l1-2-0"
    ],
    "file_opened": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll",
        "C:\\"
    ],
    "command_line": [
        "\"C:\\Windows\\System32\\rundll32.exe\" C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll,DllMain"
    ],
    "file_exists": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll.manifest"
    ],
    "file_failed": [
        "C:\\Global??\\FltMgrMsg"
    ],
    "file_read": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll"
    ],
    "regkey_read": [
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
    ]
}

Generic

[
    {
        "process_path": "C:\\Windows\\SysWOW64\\rundll32.exe",
        "process_name": "rundll32.exe",
        "pid": 2736,
        "summary": {
            "dll_loaded": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll"
            ],
            "file_opened": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll"
            ],
            "command_line": [
                "\"C:\\Windows\\System32\\rundll32.exe\" C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll,DllMain"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll.manifest"
            ],
            "file_read": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
            ]
        },
        "first_seen": 1565797984.5469,
        "ppid": 2456
    },
    {
        "process_path": "C:\\Windows\\System32\\rundll32.exe",
        "process_name": "rundll32.exe",
        "pid": 2872,
        "summary": {
            "file_failed": [
                "C:\\Global??\\FltMgrMsg"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll.manifest"
            ],
            "file_recreated": [
                "\\??\\C:"
            ],
            "dll_loaded": [
                "kernel32",
                "FLTLIB.DLL",
                "api-ms-win-core-fibers-l1-1-1",
                "api-ms-win-core-localization-l1-2-1",
                "USER32.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e.bin.dll",
                "ntdll.dll",
                "api-ms-win-core-synch-l1-2-0"
            ],
            "file_opened": [
                "C:\\"
            ]
        },
        "first_seen": 1565797984.9062,
        "ppid": 2736
    },
    {
        "process_path": "C:\\Windows\\System32\\lsass.exe",
        "process_name": "lsass.exe",
        "pid": 476,
        "summary": {},
        "first_seen": 1565797984.2969,
        "ppid": 376
    }
]

Signatures

[
    {
        "markcount": 1,
        "families": [],
        "description": "This executable has a PDB path",
        "severity": 1,
        "marks": [
            {
                "category": "pdb_path",
                "ioc": "D:\\Haibo\\COMODOCloudAntivirus\\ccav1.20\\Release\\x64\\Symbols\\CcavGuard64.pdb",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "has_pdb"
    },
    {
        "markcount": 3,
        "families": [],
        "description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
        "severity": 1,
        "marks": [
            {
                "category": "section",
                "ioc": ".gfids",
                "type": "ioc",
                "description": null
            },
            {
                "category": "section",
                "ioc": ".detourc",
                "type": "ioc",
                "description": null
            },
            {
                "category": "section",
                "ioc": ".detourd",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "pe_features"
    },
    {
        "markcount": 2,
        "families": [],
        "description": "One or more processes crashed",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf\n\n\n0\nx\n7\nf\ne\nf\n0\na\nf\n8\n7\n8\nf",
                        "registers": {
                            "r14": 4290838528,
                            "r9": 2422096,
                            "rcx": 48,
                            "rsi": 0,
                            "r10": 0,
                            "rbx": 8791541022720,
                            "rdi": 3317618,
                            "r11": 518,
                            "r8": 2422024,
                            "rdx": 8796092883536,
                            "rbp": 8791541022720,
                            "r15": 2423712,
                            "r12": 0,
                            "rsp": 2422816,
                            "rax": 0,
                            "r13": 3317604
                        },
                        "exception": {
                            "symbol": "",
                            "exception_code": "0xc0000005",
                            "address": "0x7fef0af878f"
                        }
                    },
                    "time": 1565797557.0655,
                    "tid": 1480,
                    "flags": {}
                },
                "pid": 2872,
                "type": "call",
                "cid": 392
            },
            {
                "call": {
                    "category": "__notification__",
                    "status": 1,
                    "stacktrace": [],
                    "raw": [
                        "stacktrace"
                    ],
                    "api": "__exception__",
                    "return_value": 0,
                    "arguments": {
                        "stacktrace": "0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6\n\n\n0\nx\n7\nf\ne\nf\n0\na\ne\n6\n6\n0\n6",
                        "registers": {
                            "r14": 8791541492456,
                            "r9": 31979968,
                            "rcx": 48,
                            "rsi": 3409216,
                            "r10": 0,
                            "rbx": 8791541492456,
                            "rdi": 0,
                            "r11": 514,
                            "r8": 31979912,
                            "rdx": 8796092875344,
                            "rbp": 0,
                            "r15": 362880,
                            "r12": 60504,
                            "rsp": 31981344,
                            "rax": 0,
                            "r13": 0
                        },
                        "exception": {
                            "symbol": "",
                            "exception_code": "0xc0000005",
                            "address": "0x7fef0ae6606"
                        }
                    },
                    "time": 1565797557.0655,
                    "tid": 2952,
                    "flags": {}
                },
                "pid": 2872,
                "type": "call",
                "cid": 394
            }
        ],
        "references": [],
        "name": "raises_exception"
    },
    {
        "markcount": 89,
        "families": [],
        "description": "Allocates read-write-execute memory (usually to unpack itself)",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "region_size": 65536,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "allocation_type": 12288,
                        "base_address": "0x0000000037790000"
                    },
                    "time": 1565797555.6125,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 94
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000777ae000"
                    },
                    "time": 1565797555.6125,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 95
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtAllocateVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "region_size": 65536,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 1,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "allocation_type": 12288,
                        "base_address": "0x000007febda30000"
                    },
                    "time": 1565797555.6125,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE",
                        "allocation_type": "MEM_COMMIT|MEM_RESERVE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 98
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x000007fefda43000"
                    },
                    "time": 1565797555.6125,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 99
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x000007fefda43000"
                    },
                    "time": 1565797555.6125,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 102
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x000007fefda23000"
                    },
                    "time": 1565797555.6125,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 105
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x000007fefda15000"
                    },
                    "time": 1565797555.6125,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 108
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6125,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 133
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000779d3000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 136
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000778ce000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 139
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000778ce000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 142
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 145
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 148
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a02000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 151
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 154
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 157
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 161
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a02000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 164
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 168
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a02000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 171
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 174
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 177
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 180
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 183
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a02000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 186
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a02000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 189
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 192
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 195
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 198
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 201
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 204
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 207
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a02000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 210
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 213
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000779ed000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 216
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000779d2000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 219
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a03000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 222
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 225
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077a01000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 242
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x0000000077901000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 251
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000778ba000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 254
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000778c7000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 257
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000778bd000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 260
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000778c0000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 263
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000778bd000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 266
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000778c6000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 269
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000778d8000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 272
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000778bf000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 275
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x000000007792d000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 278
            },
            {
                "call": {
                    "category": "process",
                    "status": 1,
                    "stacktrace": [],
                    "api": "NtProtectVirtualMemory",
                    "return_value": 0,
                    "arguments": {
                        "process_identifier": 2872,
                        "stack_dep_bypass": 0,
                        "stack_pivoted": 0,
                        "heap_dep_bypass": 0,
                        "length": 4096,
                        "protection": 64,
                        "process_handle": "0xffffffffffffffff",
                        "base_address": "0x00000000778c5000"
                    },
                    "time": 1565797555.6285,
                    "tid": 1480,
                    "flags": {
                        "protection": "PAGE_EXECUTE_READWRITE"
                    }
                },
                "pid": 2872,
                "type": "call",
                "cid": 281
            }
        ],
        "references": [],
        "name": "allocates_rwx"
    }
]

Yara

The Yara rules did not detect anything in the file.

Network

{
    "tls": [],
    "udp": [
        {
            "src": "192.168.56.101",
            "dst": "192.168.56.255",
            "offset": 662,
            "time": 6.204626083374,
            "dport": 137,
            "sport": 137
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 5658,
            "time": 6.1397840976715,
            "dport": 5355,
            "sport": 51001
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 5986,
            "time": 4.1572480201721,
            "dport": 5355,
            "sport": 53595
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 6314,
            "time": 6.1474561691284,
            "dport": 5355,
            "sport": 53848
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 6642,
            "time": 4.6636061668396,
            "dport": 5355,
            "sport": 54255
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 6970,
            "time": 3.0551249980927,
            "dport": 5355,
            "sport": 55314
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 7298,
            "time": 8.9333460330963,
            "dport": 5355,
            "sport": 55880
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 7618,
            "time": 4.6928889751434,
            "dport": 1900,
            "sport": 1900
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 17416,
            "time": 4.1945550441742,
            "dport": 3702,
            "sport": 49152
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 25800,
            "time": 6.2554841041565,
            "dport": 1900,
            "sport": 53598
        }
    ],
    "dns_servers": [],
    "http": [],
    "icmp": [],
    "smtp": [],
    "tcp": [],
    "smtp_ex": [],
    "mitm": [],
    "hosts": [],
    "pcap_sha256": "931d715ba5aed69a32a5056b085d8ca7b279f9d41735354ddeeefdd7f1f51ef1",
    "dns": [],
    "http_ex": [],
    "domains": [],
    "dead_hosts": [],
    "sorted_pcap_sha256": "548c3a6095c9b4368232a334134695e143cab9497f7458ef63a62a21ec72f0b8",
    "irc": [],
    "https_ex": []
}

Screenshots

Screenshot from the sandboxScreenshot from the sandboxScreenshot from the sandbox

Other files also named CcavGuard64.dll

CcavGuard64.dll (11 votes)

Hashes [?]

PropertyValue
MD54591a7da8dc7b085968b16de480da6ba
SHA256d56050205c08341bdd5c6058615f5a92de5a1b872dc03807ad33235c724a7c7e

What will you do with the file?

To help other users, please let us know what you will do with the file:



Malware or legitimate?

If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.

Please select the option that best describe your thoughts on the information provided on this web page


Free online surveys

And now some shameless self promotion ;)

A screenshot of FreeFixer's scan result.Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.

If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.

Comments

Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.

I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.

No comments posted yet.

Leave a reply