What is InstAosmgr.exe?
InstAosmgr.exe is part of KK??? and developed by ?????????? according to the InstAosmgr.exe version information.
InstAosmgr.exe's description is "KK???"
InstAosmgr.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected InstAosmgr.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on InstAosmgr.exe:
| Property | Value |
|---|---|
| Product name | KK??? |
| Company name | ?????????? |
| File description | KK??? |
| Internal name | KKPlayer.exe |
| Original filename | KKPlayer.exe |
| Legal copyright | ?????????? ??????? |
| Product version | 2, 6, 1, 6 |
| File version | 2, 6, 1, 6 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | KK??? |
| Company name | ?????????? |
| File description | KK??? |
| Internal name | KKPlayer.exe |
| Original filename | KKPlayer.exe |
| Legal copyright | ?????????? ??????? |
| Product version | 2, 6, 1, 6 |
| File version | 2, 6, 1, 6 |
Digital signatures [?]
InstAosmgr.exe is not signed.
VirusTotal report
54 of the 71 anti-virus programs at VirusTotal detected the InstAosmgr.exe file. That's a 76% detection rate.
| Scanner | Detection Name |
|---|---|
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKD.5561429 |
| AegisLab | Trojan.Win32.Generic.4!c |
| AhnLab-V3 | Trojan/Win32.Banki.R203756 |
| Alibaba | Trojan:Win32/Qzonit.00a4a790 |
| ALYac | Trojan.GenericKD.5561429 |
| Antiy-AVL | Trojan[Banker]/Win32.Banbra |
| Arcabit | Trojan.Generic.D54DC55 |
| Avast | Win32:Malware-gen |
| AVG | Win32:Malware-gen |
| Avira | HEUR/AGEN.1011960 |
| BitDefender | Trojan.GenericKD.5561429 |
| Bkav | W32.HfsAutoB. |
| CAT-QuickHeal | Trojan.Febipos.YY5 |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.9f9a96 |
| Cylance | Unsafe |
| DrWeb | Trojan.DownLoader25.6972 |
| eGambit | Trojan.Generic |
| Emsisoft | Trojan.GenericKD.5561429 (B) |
| Endgame | malicious (high confidence) |
| ESET-NOD32 | a variant of Win32/Packed.Themida.CRS |
| F-Secure | Heuristic.HEUR/AGEN.1011960 |
| FireEye | Generic.mg.1408dfd9f9a963ba |
| Fortinet | W32/Banbra.WAHW!tr |
| GData | Trojan.GenericKD.5561429 |
| Invincea | heuristic |
| Jiangmin | Trojan.Banker.Banbra.cap |
| K7AntiVirus | Trojan ( 000141f61 ) |
| K7GW | Trojan ( 000141f61 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| Malwarebytes | Trojan.Banker.OL |
| MAX | malware (ai score=100) |
| McAfee | Artemis!1408DFD9F9A9 |
| McAfee-GW-Edition | BehavesLike.Win32.PWSBanker.bc |
| Microsoft | Trojan:Win32/Qzonit.A!bit |
| MicroWorld-eScan | Trojan.GenericKD.5561429 |
| NANO-Antivirus | Trojan.Win32.Banbra.eqrrsw |
| Paloalto | generic.ml |
| Panda | Trj/CI.A |
| Qihoo-360 | Win32/Trojan.d7c |
| Rising | Trojan.Qzonit!8.E0EF (CLOUD) |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/Generic-S |
| Symantec | ML.Attribute.HighConfidence |
| TACHYON | Banker/W32.Pharm.783360 |
| Tencent | Win32.Trojan.Generic.Dumi |
| Trapmine | malicious.high.ml.score |
| TrendMicro | TROJ_GEN.R03FC0DC919 |
| TrendMicro-HouseCall | TROJ_GEN.R03FC0DC919 |
| VBA32 | TScope.Malware-Cryptor.SB |
| Yandex | Trojan.PWS.Banbra!NUxVOHkqYxM |
| Zillya | Trojan.GenericKD.Win32.53274 |
| ZoneAlarm | HEUR:Trojan.Win32.Generic |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\60F0C4"
],
"dll_loaded": [
"NTDLL",
"SXS.DLL",
"winmm.dll",
"KERNEL32.dll",
"DNSAPI.dll",
"SHELL32.dll",
"kernel32.dll",
"MSVCRT.dll",
"OLEAUT32.dll",
"ADVAPI32.dll",
"NTDLL.dll",
"ole32.dll",
"SHLWAPI.dll",
"WS2_32.dll",
"CLBCatQ.DLL",
"USER32.dll"
],
"file_failed": [
"\\??\\NTICE",
"\\??\\SICE",
"\\??\\SIWVID"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Interface\\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID",
"HKEY_CURRENT_USER\\Interface\\{027947E1-D731-11CE-A357-000000000001}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\InprocHandler",
"HKEY_CURRENT_USER\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\TreatAs",
"HKEY_CURRENT_USER\\Interface\\{9556DC99-828C-11CF-A37E-00AA003240C7}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\\1.0\\0\\win32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler",
"HKEY_CURRENT_USER\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}",
"HKEY_CURRENT_USER\\VBScript",
"HKEY_LOCAL_MACHINE\\Hardware\\description\\System",
"HKEY_CURRENT_USER\\Winmgmts",
"HKEY_LOCAL_MACHINE\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{9556DC99-828C-11CF-A37E-00AA003240C7}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Wine",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Script\\Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\InprocHandler32",
"HKEY_CURRENT_USER\\ScriptControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\Implemented Categories\\{7DD95802-9882-11CF-9FA9-00AA006C42C4}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\9",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\InprocServer32",
"HKEY_CURRENT_USER\\CLSID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocHandler32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Scripting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\\1.0\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\Progid",
"HKEY_CURRENT_USER\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\ScriptControl\\CLSID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\VBScript\\CLSID",
"HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\409",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\\1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\InprocHandler32",
"HKEY_CURRENT_USER\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocHandler"
],
"resolves_host": [
"r.pengyou.com"
],
"mutex": [
"M_Test"
],
"file_opened": [
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
"C:\\Windows\\SysWOW64\\msscript.ocx",
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Windows\\SysWOW64\\stdole2.tlb",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"guid": [
"{0e59f1d5-1fbe-11d0-8ff2-00a0d10038bc}",
"{bb1a2ae1-a4f9-11cf-8f20-00805f2cd064}",
"{172bddf8-ceea-11d1-8b05-00600806d9b6}",
"{0000011a-0000-0000-c000-000000000046}",
"{00000000-0000-0000-c000-000000000046}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{6c736dc1-ab0d-11d0-a2ad-00a0c90f27e8}",
"{b54f3741-5b07-11cf-a4b0-00aa004a55e8}",
"{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{3bc15af2-736c-477e-9e51-238af8667dcc}",
"{0002e005-0000-0000-c000-000000000046}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{0002e013-0000-0000-c000-000000000046}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{6c736db1-bd94-11d0-8a23-00aa00b58e10}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}"
],
"file_read": [
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Windows\\SysWOW64\\stdole2.tlb",
"C:\\Windows\\SysWOW64\\msscript.ocx"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{9556DC99-828C-11CF-A37E-00AA003240C7}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\ScriptControl\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\\1.0\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\60F0C4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\VBScript\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\ProgID\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\Scripting\\Default Namespace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\ProgID\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Script\\Settings\\JITDebug",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en"
]
}Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"process_name": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"pid": 1664,
"summary": {
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\60F0C4"
],
"dll_loaded": [
"NTDLL",
"SXS.DLL",
"winmm.dll",
"KERNEL32.dll",
"DNSAPI.dll",
"SHELL32.dll",
"kernel32.dll",
"MSVCRT.dll",
"OLEAUT32.dll",
"ADVAPI32.dll",
"NTDLL.dll",
"ole32.dll",
"SHLWAPI.dll",
"WS2_32.dll",
"CLBCatQ.DLL",
"USER32.dll"
],
"file_failed": [
"\\??\\NTICE",
"\\??\\SICE",
"\\??\\SIWVID"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Interface\\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID",
"HKEY_CURRENT_USER\\Interface\\{027947E1-D731-11CE-A357-000000000001}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\InprocHandler",
"HKEY_CURRENT_USER\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler32",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\TreatAs",
"HKEY_CURRENT_USER\\Interface\\{9556DC99-828C-11CF-A37E-00AA003240C7}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\\1.0\\0\\win32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocHandler",
"HKEY_CURRENT_USER\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}",
"HKEY_CURRENT_USER\\VBScript",
"HKEY_LOCAL_MACHINE\\Hardware\\description\\System",
"HKEY_CURRENT_USER\\Winmgmts",
"HKEY_LOCAL_MACHINE\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{9556DC99-828C-11CF-A37E-00AA003240C7}\\ProxyStubClsid32",
"HKEY_CURRENT_USER\\Software\\Wine",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Script\\Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\InprocHandler32",
"HKEY_CURRENT_USER\\ScriptControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\Implemented Categories\\{7DD95802-9882-11CF-9FA9-00AA006C42C4}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\9",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\InprocServer32",
"HKEY_CURRENT_USER\\CLSID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocHandler32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Scripting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\\1.0\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\Progid",
"HKEY_CURRENT_USER\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\ScriptControl\\CLSID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\VBScript\\CLSID",
"HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\409",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\TreatAs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\\1.0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\InprocHandler32",
"HKEY_CURRENT_USER\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocHandler"
],
"resolves_host": [
"r.pengyou.com"
],
"mutex": [
"M_Test"
],
"file_opened": [
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
"C:\\Windows\\SysWOW64\\msscript.ocx",
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Windows\\SysWOW64\\stdole2.tlb",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"guid": [
"{0e59f1d5-1fbe-11d0-8ff2-00a0d10038bc}",
"{bb1a2ae1-a4f9-11cf-8f20-00805f2cd064}",
"{172bddf8-ceea-11d1-8b05-00600806d9b6}",
"{0000011a-0000-0000-c000-000000000046}",
"{00000000-0000-0000-c000-000000000046}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{6c736dc1-ab0d-11d0-a2ad-00a0c90f27e8}",
"{b54f3741-5b07-11cf-a4b0-00aa004a55e8}",
"{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{3bc15af2-736c-477e-9e51-238af8667dcc}",
"{0002e005-0000-0000-c000-000000000046}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{0002e013-0000-0000-c000-000000000046}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{6c736db1-bd94-11d0-8a23-00aa00b58e10}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}"
],
"file_read": [
"C:\\Windows\\System32\\wbem\\wbemdisp.tlb",
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Windows\\SysWOW64\\stdole2.tlb",
"C:\\Windows\\SysWOW64\\msscript.ocx"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{9556DC99-828C-11CF-A37E-00AA003240C7}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\ScriptControl\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\\1.0\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\60F0C4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\VBScript\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\ProgID\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\WBEM\\Scripting\\Default Namespace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{00020430-0000-0000-C000-000000000046}\\2.0\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{565783C6-CB41-11D1-8B02-00600806D9B6}\\1.2\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\ProgID\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\WINMGMTS\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{027947E1-D731-11CE-A357-000000000001}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\\InprocServer32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Script\\Settings\\JITDebug",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en"
]
},
"first_seen": 1574909587.765625,
"ppid": 2448
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1574909587.578125,
"ppid": 376
}
]Signatures
[
{
"markcount": 2,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574909588.390625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6788
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574909588.499625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7444
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 60,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909588.249625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6274
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909590.233625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7893
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909592.249625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7905
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909594.265625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7924
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909596.280625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7936
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909598.296625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7955
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909600.311625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7967
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909602.327625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7987
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909604.343625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7999
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909606.358625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8013
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909608.374625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8031
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909610.390625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8043
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909612.405625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8062
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909614.421625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8074
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909616.436625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8093
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909618.452625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8105
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909620.468625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8122
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909622.483625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8137
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909624.499625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8149
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909626.515625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8169
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909628.530625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8181
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909630.546625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8200
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909632.561625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8212
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909634.577625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8231
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909636.593625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8244
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909638.608625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8258
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909640.624625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8275
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909642.640625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8288
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909644.655625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8307
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909646.671625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8319
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909648.686625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8341
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909650.702625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8353
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909652.718625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8367
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909654.733625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8385
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909656.749625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8399
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909658.765625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8418
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909660.780625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8431
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909662.796625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8450
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909664.811625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8462
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909666.827625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8478
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909668.843625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8493
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909670.858625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8505
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909672.874625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8525
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909674.890625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8537
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909676.905625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8556
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909678.921625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8569
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909680.936625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8588
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909682.952625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8600
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909684.968625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8614
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574909686.983625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8631
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 5,
"families": [],
"description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
"severity": 1,
"marks": [
{
"category": "section",
"ioc": " \\x00 ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": ".idata ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": " ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": "itowsvrv",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": "yevpyaju",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_features"
},
{
"markcount": 114,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 1638276,
"edi": 0,
"eax": 1,
"ebp": 1638292,
"edx": 6037504,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"exception": {
"instruction_r": "fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x1290b9",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 1216697,
"address": "0x5290b9"
}
},
"time": 1574909587.874625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 0
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638240,
"edi": 1975189736,
"eax": 31390,
"ebp": 4130988052,
"edx": 4586913,
"ebx": 4194304,
"esi": 3,
"ecx": 1975386112
},
"exception": {
"instruction_r": "fb 81 c2 0c 5d 32 23 e9 dc fd ff ff 81 e9 3b 18",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x605ba",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 394682,
"address": "0x4605ba"
}
},
"time": 1574909587.874625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 1
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638244,
"edi": 1975189736,
"eax": 31390,
"ebp": 4130988052,
"edx": 4590123,
"ebx": 7542632,
"esi": 0,
"ecx": 1975386112
},
"exception": {
"instruction_r": "fb 68 e3 43 8d 3a ff 34 24 e9 13 06 00 00 89 3c",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x60158",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 393560,
"address": "0x460158"
}
},
"time": 1574909587.874625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 2
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638240,
"edi": 4590508,
"eax": 29463,
"ebp": 4130988052,
"edx": 1662113857,
"ebx": 7542632,
"esi": 0,
"ecx": 1852162561
},
"exception": {
"instruction_r": "fb 81 c7 6f 4b 7d 78 55 bd 9e 2f 6e 60 01 ef 8b",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x614bb",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 398523,
"address": "0x4614bb"
}
},
"time": 1574909587.874625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 3
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638244,
"edi": 4619971,
"eax": 29463,
"ebp": 4130988052,
"edx": 1662113857,
"ebx": 7542632,
"esi": 0,
"ecx": 1852162561
},
"exception": {
"instruction_r": "fb 29 db ff 34 1f ff 34 24 ff 34 24 ff 34 24 5e",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x60f65",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 397157,
"address": "0x460f65"
}
},
"time": 1574909587.874625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 4
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638244,
"edi": 4619971,
"eax": 29463,
"ebp": 4130988052,
"edx": 1662113857,
"ebx": 4294940628,
"esi": 226537,
"ecx": 1852162561
},
"exception": {
"instruction_r": "fb 68 a7 74 00 00 e9 1c 02 00 00 87 34 24 e9 ab",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x6110f",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 397583,
"address": "0x46110f"
}
},
"time": 1574909587.874625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 5
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638240,
"edi": 4620822,
"eax": 25804,
"ebp": 4130988052,
"edx": 344064,
"ebx": 344064,
"esi": 4775706,
"ecx": 4776020
},
"exception": {
"instruction_r": "fb 81 e9 81 0f 79 75 81 e9 91 46 0d 14 81 c1 1e",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x8e29b",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 582299,
"address": "0x48e29b"
}
},
"time": 1574909587.874625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638244,
"edi": 4620822,
"eax": 25804,
"ebp": 4130988052,
"edx": 344064,
"ebx": 344064,
"esi": 4775706,
"ecx": 4801824
},
"exception": {
"instruction_r": "fb 31 d2 ff 34 0a ff 34 24 e9 8c 02 00 00 c1 ee",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x8e195",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 582037,
"address": "0x48e195"
}
},
"time": 1574909587.874625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638244,
"edi": 4620822,
"eax": 25804,
"ebp": 4130988052,
"edx": 4294944236,
"ebx": 344064,
"esi": 24297,
"ecx": 4801824
},
"exception": {
"instruction_r": "fb 68 74 4f 00 00 89 0c 24 e9 28 ff ff ff 56 89",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x8e8ab",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 583851,
"address": "0x48e8ab"
}
},
"time": 1574909587.874625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 8
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638244,
"edi": 4791481,
"eax": 25948,
"ebp": 4130988052,
"edx": 0,
"ebx": 50665,
"esi": 0,
"ecx": 2008823930
},
"exception": {
"instruction_r": "fb 68 00 27 b4 16 ff 34 24 8b 14 24 81 c4 04 00",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x91aa9",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 596649,
"address": "0x491aa9"
}
},
"time": 1574909587.874625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 15
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638244,
"edi": 4791481,
"eax": 4835474,
"ebp": 4130988052,
"edx": 380905216,
"ebx": 61522022,
"esi": 0,
"ecx": 14288
},
"exception": {
"instruction_r": "fb 31 f6 ff 34 06 ff 34 24 5b 68 83 6d 00 00 e9",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x96515",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 615701,
"address": "0x496515"
}
},
"time": 1574909587.890625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 16
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638244,
"edi": 4791481,
"eax": 4835474,
"ebp": 4130988052,
"edx": 380905216,
"ebx": 199913,
"esi": 4294943136,
"ecx": 14288
},
"exception": {
"instruction_r": "fb 57 54 5f 81 c7 04 00 00 00 e9 7d 02 00 00 68",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x96374",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 615284,
"address": "0x496374"
}
},
"time": 1574909587.890625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 17
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638236,
"edi": 7351536,
"eax": 1447909480,
"ebp": 4130988052,
"edx": 22104,
"ebx": 1975324853,
"esi": 4818951,
"ecx": 20
},
"exception": {
"instruction_r": "ed 64 8f 05 00 00 00 00 50 53 54 5b 83 ec 04 89",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x99111",
"instruction": "in eax, dx",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 626961,
"address": "0x499111"
}
},
"time": 1574909587.890625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 22
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638236,
"edi": 7351536,
"eax": 1,
"ebp": 4130988052,
"edx": 22104,
"ebx": 0,
"esi": 4818951,
"ecx": 20
},
"exception": {
"instruction_r": "0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x9904e",
"address": "0x49904e",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc000001d",
"offset": 626766
}
},
"time": 1574909587.890625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 23
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638236,
"edi": 7351536,
"eax": 1447909480,
"ebp": 4130988052,
"edx": 22104,
"ebx": 2256917605,
"esi": 4818951,
"ecx": 10
},
"exception": {
"instruction_r": "ed 81 fb 68 58 4d 56 75 0a c7 85 5c 38 0c 0a 01",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x9abf1",
"instruction": "in eax, dx",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 633841,
"address": "0x49abf1"
}
},
"time": 1574909587.890625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 24
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 0,
"eax": 1638204,
"ebp": 4130988052,
"edx": 2130535907,
"ebx": 4846617,
"esi": 27,
"ecx": 0
},
"exception": {
"instruction_r": "cd 01 eb 00 66 81 f1 4e 0c 64 8f 05 00 00 00 00",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x9f311",
"instruction": "int 1",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000005",
"offset": 652049,
"address": "0x49f311"
}
},
"time": 1574909588.046625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 2824
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638244,
"edi": 7351536,
"eax": 26398,
"ebp": 4130988052,
"edx": 4873590,
"ebx": 31297031,
"esi": 5642,
"ecx": 5642
},
"exception": {
"instruction_r": "fb 68 0f 17 00 00 ff 34 24 e9 f4 08 00 00 81 f7",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x9f6fd",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 653053,
"address": "0x49f6fd"
}
},
"time": 1574909588.046625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 2825
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638244,
"edi": 2283,
"eax": 0,
"ebp": 4130988052,
"edx": 4849978,
"ebx": 31297031,
"esi": 5642,
"ecx": 5642
},
"exception": {
"instruction_r": "fb 53 89 3c 24 68 d2 41 00 00 89 04 24 68 14 02",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x9f689",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 652937,
"address": "0x49f689"
}
},
"time": 1574909588.046625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 2826
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638244,
"edi": 4584826,
"eax": 30016,
"ebp": 4130988052,
"edx": 4294939628,
"ebx": 4907079,
"esi": 1975260176,
"ecx": 1179202795
},
"exception": {
"instruction_r": "fb 55 bd ca 3c af 57 e9 28 00 00 00 81 ea 60 14",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xa7374",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 684916,
"address": "0x4a7374"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6114
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638232,
"edi": 4584826,
"eax": 27005,
"ebp": 4130988052,
"edx": 659809891,
"ebx": 4896906,
"esi": 1976272156,
"ecx": 659809891
},
"exception": {
"instruction_r": "fb 83 ec 04 89 34 24 be 5d 33 e2 05 52 ba bd 54",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xabe85",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 704133,
"address": "0x4abe85"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6116
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638236,
"edi": 4584826,
"eax": 27005,
"ebp": 4130988052,
"edx": 659809891,
"ebx": 4923911,
"esi": 4294943420,
"ecx": 607422807
},
"exception": {
"instruction_r": "fb 53 bb 9c 21 59 77 56 e9 36 00 00 00 81 e9 a5",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xac1df",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 704991,
"address": "0x4ac1df"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6117
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638232,
"edi": 4900235,
"eax": 31219,
"ebp": 4130988052,
"edx": 2020897361,
"ebx": 376328655,
"esi": 4294943420,
"ecx": 607422807
},
"exception": {
"instruction_r": "fb e9 1f 01 00 00 81 c3 5a 21 b3 55 01 eb e9 b8",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xac61b",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 706075,
"address": "0x4ac61b"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6118
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638236,
"edi": 4903362,
"eax": 31219,
"ebp": 4130988052,
"edx": 0,
"ebx": 376328655,
"esi": 71145,
"ecx": 607422807
},
"exception": {
"instruction_r": "fb 68 b9 ef 30 08 ff 34 24 ff 34 24 e9 00 00 00",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xad19b",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 709019,
"address": "0x4ad19b"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6119
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638236,
"edi": 4903362,
"eax": 30925,
"ebp": 4130988052,
"edx": 30185,
"ebx": 4294939272,
"esi": 71145,
"ecx": 4940708
},
"exception": {
"instruction_r": "fb 55 51 b9 18 70 86 22 e9 3d 00 00 00 87 3c 24",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xaf06c",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 716908,
"address": "0x4af06c"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6121
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638232,
"edi": 0,
"eax": 25820,
"ebp": 4130988052,
"edx": 2130532852,
"ebx": 4952884,
"esi": 8433750,
"ecx": 3349086208
},
"exception": {
"instruction_r": "fb 50 81 ec 04 00 00 00 89 1c 24 bb 6e 30 dd 12",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xb9569",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 759145,
"address": "0x4b9569"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6136
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638236,
"edi": 0,
"eax": 25820,
"ebp": 4130988052,
"edx": 2130532852,
"ebx": 4978704,
"esi": 8433750,
"ecx": 3349086208
},
"exception": {
"instruction_r": "fb 53 68 70 5b fe 71 ff 34 24 ff 34 24 e9 de fb",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xb976e",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 759662,
"address": "0x4b976e"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6137
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638236,
"edi": 0,
"eax": 4186662496,
"ebp": 4130988052,
"edx": 2130532852,
"ebx": 4955684,
"esi": 8433750,
"ecx": 3349086208
},
"exception": {
"instruction_r": "fb 51 68 ee 3d 00 00 89 1c 24 bb d5 31 3a 2e 81",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xb941a",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 758810,
"address": "0x4b941a"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6138
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 11753,
"eax": 32413,
"ebp": 4130988052,
"edx": 0,
"ebx": 1491681373,
"esi": 5028678,
"ecx": 1977363580
},
"exception": {
"instruction_r": "fb 57 e9 d4 fb ff ff bb 0d 28 6d 3c 89 d9 5b 57",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xcb6aa",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 833194,
"address": "0x4cb6aa"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6165
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638200,
"edi": 5031068,
"eax": 30557,
"ebp": 4130988052,
"edx": 5033385,
"ebx": 983520644,
"esi": 5030288,
"ecx": 0
},
"exception": {
"instruction_r": "fb 68 3f 01 00 00 89 34 24 be 4b 75 6d 55 29 f2",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xccff0",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 839664,
"address": "0x4ccff0"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6168
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 5031068,
"eax": 30557,
"ebp": 4130988052,
"edx": 5063942,
"ebx": 983520644,
"esi": 5030288,
"ecx": 0
},
"exception": {
"instruction_r": "fb e9 e1 01 00 00 89 d8 8b 1c 24 56 89 e6 81 c6",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xcd4e2",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 840930,
"address": "0x4cd4e2"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6169
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 4294939492,
"eax": 30557,
"ebp": 4130988052,
"edx": 5063942,
"ebx": 983520644,
"esi": 5030288,
"ecx": 607947094
},
"exception": {
"instruction_r": "fb e9 ef 00 00 00 51 b9 8b 6e c2 48 41 e9 43 01",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xccf85",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 839557,
"address": "0x4ccf85"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6170
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 4294939492,
"eax": 31359,
"ebp": 4130988052,
"edx": 1244106177,
"ebx": 5067695,
"esi": 5030288,
"ecx": 1769962677
},
"exception": {
"instruction_r": "fb 68 65 3e 00 00 89 04 24 57 bf 3e 08 b3 45 57",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xcdba2",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 842658,
"address": "0x4cdba2"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6171
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 6889,
"eax": 31359,
"ebp": 4130988052,
"edx": 1244106177,
"ebx": 5038871,
"esi": 0,
"ecx": 1769962677
},
"exception": {
"instruction_r": "fb bb 34 4f 45 38 81 e3 04 6a 02 02 83 ec 04 89",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xcde52",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 843346,
"address": "0x4cde52"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6172
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 6889,
"eax": 28629,
"ebp": 4130988052,
"edx": 2130566132,
"ebx": 6889,
"esi": 1,
"ecx": 5069254
},
"exception": {
"instruction_r": "fb 53 81 ec 04 00 00 00 e9 f0 00 00 00 5f 5b e9",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xcf142",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 848194,
"address": "0x4cf142"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6175
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 4294941388,
"eax": 28629,
"ebp": 4130988052,
"edx": 2130566132,
"ebx": 355765645,
"esi": 1,
"ecx": 5069254
},
"exception": {
"instruction_r": "fb 68 60 28 00 00 89 3c 24 e9 53 06 00 00 55 bd",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xceb51",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 846673,
"address": "0x4ceb51"
}
},
"time": 1574909588.218625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6176
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 4294940196,
"eax": 5082852,
"ebp": 4130988052,
"edx": 2130566132,
"ebx": 4593748,
"esi": 5815,
"ecx": 2298801283
},
"exception": {
"instruction_r": "fb 68 7b d0 1b 04 8b 04 24 e9 5a 00 00 00 55 e9",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xd1f40",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 859968,
"address": "0x4d1f40"
}
},
"time": 1574909588.233625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6184
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638200,
"edi": 4294940196,
"eax": 31805,
"ebp": 4130988052,
"edx": 2130566132,
"ebx": 4593748,
"esi": 5815,
"ecx": 5055980
},
"exception": {
"instruction_r": "fb 81 c1 3b 6a 1c 7b 68 a3 34 00 00 89 3c 24 bf",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xd28fa",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 862458,
"address": "0x4d28fa"
}
},
"time": 1574909588.233625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6185
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 4294940196,
"eax": 31805,
"ebp": 4130988052,
"edx": 2130566132,
"ebx": 2298801283,
"esi": 0,
"ecx": 5059129
},
"exception": {
"instruction_r": "fb 81 ec 04 00 00 00 89 34 24 be ff 16 fa 34 e9",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xd2fc9",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 864201,
"address": "0x4d2fc9"
}
},
"time": 1574909588.233625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6186
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 4294940196,
"eax": 25851,
"ebp": 4130988052,
"edx": 4294943960,
"ebx": 5085176,
"esi": 2838505195,
"ecx": 5059129
},
"exception": {
"instruction_r": "fb 53 55 bd 35 3e ae 52 57 bf 46 7e 3c 0a 29 fd",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xd3768",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 866152,
"address": "0x4d3768"
}
},
"time": 1574909588.233625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6187
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638200,
"edi": 5071682,
"eax": 26624,
"ebp": 4130988052,
"edx": 2130566132,
"ebx": 1983578086,
"esi": 5066195,
"ecx": 5080360
},
"exception": {
"instruction_r": "fb 81 e9 bc 2a 61 72 03 0c 24 68 00 3d 00 00 89",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xd8c77",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 887927,
"address": "0x4d8c77"
}
},
"time": 1574909588.233625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6206
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 4294943624,
"eax": 26624,
"ebp": 4130988052,
"edx": 7145,
"ebx": 1983578086,
"esi": 5066195,
"ecx": 5106984
},
"exception": {
"instruction_r": "fb 52 e9 e3 00 00 00 01 d7 5a 81 ef 2a 2b 70 5b",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xd8869",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 886889,
"address": "0x4d8869"
}
},
"time": 1574909588.233625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6207
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638200,
"edi": 4294943624,
"eax": 30452,
"ebp": 4130988052,
"edx": 1672309322,
"ebx": 2081859416,
"esi": 5087739,
"ecx": 1261501402
},
"exception": {
"instruction_r": "fb 50 68 88 19 b3 37 e9 79 00 00 00 01 ee 5d e9",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xda782",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 894850,
"address": "0x4da782"
}
},
"time": 1574909588.233625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6208
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 27881,
"eax": 30452,
"ebp": 4130988052,
"edx": 1672309322,
"ebx": 0,
"esi": 5090991,
"ecx": 1261501402
},
"exception": {
"instruction_r": "fb e9 86 01 00 00 ba ae 6e ac 7b 81 e2 87 08 cc",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xdabf3",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 895987,
"address": "0x4dabf3"
}
},
"time": 1574909588.233625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6209
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 3019377164,
"eax": 28415,
"ebp": 4130988052,
"edx": 2130566132,
"ebx": 5141405,
"esi": 1337362280,
"ecx": 1977363580
},
"exception": {
"instruction_r": "fb 52 e9 e6 01 00 00 83 c3 04 87 1c 24 e9 d9 03",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xe077c",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 919420,
"address": "0x4e077c"
}
},
"time": 1574909588.249625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6277
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 3019377164,
"eax": 28415,
"ebp": 4130988052,
"edx": 2130566132,
"ebx": 5116641,
"esi": 0,
"ecx": 14569
},
"exception": {
"instruction_r": "fb 55 68 0f 30 4d 7b ff 34 24 e9 6f f4 ff ff 87",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xe11e3",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 922083,
"address": "0x4e11e3"
}
},
"time": 1574909588.249625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6278
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638200,
"edi": 5128505,
"eax": 28076,
"ebp": 4130988052,
"edx": 2130566132,
"ebx": 41475,
"esi": 5128839,
"ecx": 1977363580
},
"exception": {
"instruction_r": "fb e9 e9 f9 ff ff 81 c6 de 7e f8 5b e9 a9 00 00",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xe4916",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 936214,
"address": "0x4e4916"
}
},
"time": 1574909588.249625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6297
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 5128505,
"eax": 28076,
"ebp": 4130988052,
"edx": 2130566132,
"ebx": 41475,
"esi": 5156915,
"ecx": 1977363580
},
"exception": {
"instruction_r": "fb 68 00 00 00 00 e9 31 01 00 00 51 b9 04 00 00",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xe466d",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 935533,
"address": "0x4e466d"
}
},
"time": 1574909588.249625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6298
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 5128505,
"eax": 28076,
"ebp": 4130988052,
"edx": 4294941868,
"ebx": 32745,
"esi": 5156915,
"ecx": 1977363580
},
"exception": {
"instruction_r": "fb 68 82 2d 8e 77 ff 34 24 e9 08 00 00 00 89 14",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xe488b",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 936075,
"address": "0x4e488b"
}
},
"time": 1574909588.265625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6299
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638200,
"edi": 177116570,
"eax": 30905,
"ebp": 4130988052,
"edx": 2130566132,
"ebx": 5029952,
"esi": 7323628,
"ecx": 5138088
},
"exception": {
"instruction_r": "fb 81 c1 3e 64 47 77 03 0c 24 52 ba a4 1f f4 65",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xe6dcf",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 945615,
"address": "0x4e6dcf"
}
},
"time": 1574909588.265625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6325
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638204,
"edi": 177116570,
"eax": 30905,
"ebp": 4130988052,
"edx": 104169,
"ebx": 0,
"esi": 7323628,
"ecx": 5141329
},
"exception": {
"instruction_r": "fb 52 89 34 24 52 51 e9 a9 06 00 00 5f 8f 04 24",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0xe692c",
"instruction": "sti",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 944428,
"address": "0x4e692c"
}
},
"time": 1574909588.265625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6326
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 25,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77c2f000"
},
"time": 1574909588.265625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 6327
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77ba0000"
},
"time": 1574909588.265625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 6329
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 139264,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x00401000"
},
"time": 1574909588.296625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1664,
"type": "call",
"cid": 6432
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x040b0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6487
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x040c0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6488
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x040d0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6489
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x040e0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6490
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x040f0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6491
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x04100000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6492
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x04110000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6493
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x040f0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6495
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x04120000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6498
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x04130000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6501
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x04140000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6502
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x04290000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6503
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x042a0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6505
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x042b0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6507
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x040f0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6509
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x040f0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6511
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x040f0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6513
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x040f0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6515
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x040f0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6517
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x040f0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6519
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x040f0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6521
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1664,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x040f0000"
},
"time": 1574909588.311625,
"tid": 2736,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1664,
"type": "call",
"cid": 6523
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "A process attempted to delay the analysis task.",
"severity": 2,
"marks": [
{
"type": "generic",
"description": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin tried to sleep 1155 seconds, actually delayed analysis time by 1155 seconds"
}
],
"references": [],
"name": "antisandbox_sleep"
},
{
"markcount": 25,
"families": [],
"description": "Foreign language identified in PE resource",
"severity": 2,
"marks": [
{
"name": "RT_CURSOR",
"language": "LANG_CHINESE",
"offset": "0x00055a34",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000134"
},
{
"name": "RT_CURSOR",
"language": "LANG_CHINESE",
"offset": "0x00055a34",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000134"
},
{
"name": "RT_CURSOR",
"language": "LANG_CHINESE",
"offset": "0x00055a34",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000134"
},
{
"name": "RT_CURSOR",
"language": "LANG_CHINESE",
"offset": "0x00055a34",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000134"
},
{
"name": "RT_BITMAP",
"language": "LANG_CHINESE",
"offset": "0x00055c48",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x000003ea"
},
{
"name": "RT_BITMAP",
"language": "LANG_CHINESE",
"offset": "0x00055c48",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x000003ea"
},
{
"name": "RT_DIALOG",
"language": "LANG_CHINESE",
"offset": "0x0005b830",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x000001d8"
},
{
"name": "RT_DIALOG",
"language": "LANG_CHINESE",
"offset": "0x0005b830",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x000001d8"
},
{
"name": "RT_STRING",
"language": "LANG_CHINESE",
"offset": "0x0005c34c",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_STRING",
"language": "LANG_CHINESE",
"offset": "0x0005c34c",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_STRING",
"language": "LANG_CHINESE",
"offset": "0x0005c34c",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_STRING",
"language": "LANG_CHINESE",
"offset": "0x0005c34c",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_STRING",
"language": "LANG_CHINESE",
"offset": "0x0005c34c",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_STRING",
"language": "LANG_CHINESE",
"offset": "0x0005c34c",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_STRING",
"language": "LANG_CHINESE",
"offset": "0x0005c34c",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_STRING",
"language": "LANG_CHINESE",
"offset": "0x0005c34c",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_STRING",
"language": "LANG_CHINESE",
"offset": "0x0005c34c",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_STRING",
"language": "LANG_CHINESE",
"offset": "0x0005c34c",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_STRING",
"language": "LANG_CHINESE",
"offset": "0x0005c34c",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_STRING",
"language": "LANG_CHINESE",
"offset": "0x0005c34c",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_STRING",
"language": "LANG_CHINESE",
"offset": "0x0005c34c",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000030"
},
{
"name": "RT_GROUP_CURSOR",
"language": "LANG_CHINESE",
"offset": "0x0005c3b4",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000014"
},
{
"name": "RT_GROUP_CURSOR",
"language": "LANG_CHINESE",
"offset": "0x0005c3b4",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000014"
},
{
"name": "RT_GROUP_CURSOR",
"language": "LANG_CHINESE",
"offset": "0x0005c3b4",
"filetype": "empty",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x00000014"
},
{
"name": "RT_VERSION",
"language": "LANG_CHINESE",
"offset": "0x001c0f32",
"filetype": "data",
"sublanguage": "SUBLANG_CHINESE_SIMPLIFIED",
"type": "generic",
"size": "0x000002b4"
}
],
"references": [],
"name": "origin_langid"
},
{
"markcount": 4,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.98001259170218,
"section": {
"size_of_data": "0x00021200",
"virtual_address": "0x00001000",
"entropy": 7.98001259170218,
"name": " \\x00 ",
"virtual_size": "0x00054000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 7.71415607270516,
"section": {
"size_of_data": "0x00004800",
"virtual_address": "0x00055000",
"entropy": 7.71415607270516,
"name": ".rsrc",
"virtual_size": "0x0000783d"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 7.892885228898153,
"section": {
"size_of_data": "0x00098400",
"virtual_address": "0x00129000",
"entropy": 7.892885228898153,
"name": "itowsvrv",
"virtual_size": "0x00099000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.9980289093298291,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 1,
"families": [],
"description": "Expresses interest in specific running processes",
"severity": 2,
"marks": [
{
"category": "process",
"ioc": "system",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "process_interest"
},
{
"markcount": 3,
"families": [],
"description": "Checks for the presence of known devices from debuggers and forensic tools",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "\\??\\SICE",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "\\??\\SIWVID",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "\\??\\NTICE",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antidbg_devices"
},
{
"markcount": 344,
"families": [],
"description": "Checks for the presence of known windows from debuggers and forensic tools",
"severity": 3,
"marks": [
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1574909588.233625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6199
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1574909588.233625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6200
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1574909588.233625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6201
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1574909588.249625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6281
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1574909588.249625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6281
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "File Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1574909588.249625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6282
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1574909588.249625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6283
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Process Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1574909588.249625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6284
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "RegmonClass",
"window_name": ""
},
"time": 1574909588.265625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6300
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "RegmonClass",
"window_name": ""
},
"time": 1574909588.265625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6300
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Registry Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1574909588.265625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6301
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "18467-41",
"window_name": ""
},
"time": 1574909588.265625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6302
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 203,
"nt_status": -1073741772,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1574909588.296625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6440
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 203,
"nt_status": -1073741772,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1574909588.296625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6440
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 203,
"nt_status": -1073741772,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "File Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1574909588.296625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6441
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 203,
"nt_status": -1073741772,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1574909588.296625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6442
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 203,
"nt_status": -1073741772,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Process Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1574909588.296625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 6443
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1574909590.233625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7894
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1574909590.233625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7895
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1574909590.233625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7896
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1574909592.249625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7906
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1574909592.249625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7907
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1574909592.249625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7908
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Regmonclass",
"window_name": ""
},
"time": 1574909592.311625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7916
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Regmonclass",
"window_name": ""
},
"time": 1574909592.311625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7916
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "18467-41",
"window_name": ""
},
"time": 1574909592.624625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7918
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Filemonclass",
"window_name": ""
},
"time": 1574909592.936625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7920
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Filemonclass",
"window_name": ""
},
"time": 1574909592.936625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7920
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1574909592.936625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7921
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1574909594.265625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7925
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1574909594.265625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7926
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1574909594.265625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7927
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1574909596.280625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7937
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1574909596.280625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7938
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1574909596.280625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7939
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Regmonclass",
"window_name": ""
},
"time": 1574909596.936625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7947
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Regmonclass",
"window_name": ""
},
"time": 1574909596.936625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7947
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "18467-41",
"window_name": ""
},
"time": 1574909597.249625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7949
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Filemonclass",
"window_name": ""
},
"time": 1574909597.561625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7951
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Filemonclass",
"window_name": ""
},
"time": 1574909597.561625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7951
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1574909597.561625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7952
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1574909598.296625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7956
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1574909598.296625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7957
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1574909598.296625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7958
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1574909600.311625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7968
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1574909600.311625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7969
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1574909600.311625,
"tid": 1676,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7970
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Regmonclass",
"window_name": ""
},
"time": 1574909601.561625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7979
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "Regmonclass",
"window_name": ""
},
"time": 1574909601.561625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7979
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "18467-41",
"window_name": ""
},
"time": 1574909601.874625,
"tid": 1616,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 7981
}
],
"references": [],
"name": "antidbg_windows"
},
{
"markcount": 2,
"families": [],
"description": "Checks the version of Bios, possibly for anti-virtualization",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_generic_bios"
},
{
"markcount": 1,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\60F0C4",
"reg_value": "C:\\Users\\cuck\\AppData\\Local\\Temp\\7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin"
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 1,
"families": [],
"description": "Detects VirtualBox through the presence of a registry key",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_vbox_keys"
},
{
"markcount": 1,
"families": [],
"description": "Detects VMWare through the in instruction feature",
"severity": 3,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 1638236,
"edi": 7351536,
"eax": 1447909480,
"ebp": 4130988052,
"edx": 22104,
"ebx": 1975324853,
"esi": 4818951,
"ecx": 20
},
"exception": {
"instruction_r": "ed 64 8f 05 00 00 00 00 50 53 54 5b 83 ec 04 89",
"symbol": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b+0x99111",
"instruction": "in eax, dx",
"module": "7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b.bin",
"exception_code": "0xc0000096",
"offset": 626961,
"address": "0x499111"
}
},
"time": 1574909587.890625,
"tid": 2736,
"flags": {}
},
"pid": 1664,
"type": "call",
"cid": 22
}
],
"references": [],
"name": "antivm_vmware_in_instruction"
},
{
"markcount": 1,
"families": [],
"description": "Detects the presence of Wine emulator",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Wine",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antiemu_wine"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.214266061782837,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5342,
"time": 12.215447187423706,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7186,
"time": 4.148966073989868,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7514,
"time": 4.772141218185425,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7842,
"time": 3.03849720954895,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8170,
"time": 6.148697137832642,
"dport": 5355,
"sport": 61553
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8498,
"time": 6.160917043685913,
"dport": 5355,
"sport": 64412
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8826,
"time": 4.73020601272583,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28236,
"time": 4.1840221881866455,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36620,
"time": 6.261399030685425,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "d76018e8460f1309c01808f48a1997499a632f3d6143905d4d520454b37a8f58",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "9f24e1c4d8e565b2a4b26f4679bfd0711aefc3e582147d288f2d4b8637b168ed",
"irc": [],
"https_ex": []
}Screenshots
InstAosmgr.exe removal instructions
The instructions below shows how to remove InstAosmgr.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the InstAosmgr.exe file for removal, restart your computer and scan it again to verify that InstAosmgr.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate InstAosmgr.exe in the scan result and tick the checkbox next to the InstAosmgr.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate InstAosmgr.exe in the scan result.
c:\downloads\InstAosmgr.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the InstAosmgr.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If InstAosmgr.exe still remains in the scan result, proceed with the next step. If InstAosmgr.exe is gone from the scan result you're done.
- If InstAosmgr.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that InstAosmgr.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 1408dfd9f9a963ba8d08f51c4f25e007 |
| SHA256 | 7dc0ea665b413c19fba2de1f07bc8f5ebc87d2271c5cac35c1ee273dad5e2d7b |
Error Messages
These are some of the error messages that can appear related to instaosmgr.exe:
instaosmgr.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
instaosmgr.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
KK??? has stopped working.
End Program - instaosmgr.exe. This program is not responding.
instaosmgr.exe is not a valid Win32 application.
instaosmgr.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with InstAosmgr.exe?
To help other users, please let us know what you will do with InstAosmgr.exe:
What did other users do?
The poll result listed below shows what users chose to do with InstAosmgr.exe. 100% have voted for removal. Based on votes from 1 user.
| Votes | |||
|---|---|---|---|
| Keep | 0 % | 0 | |
| Remove | 100 % | 1 |
NOTE: Please do not use this poll as the only source of input to determine what you will do with InstAosmgr.exe. Only 1 user has voted so far so it does not offer a high degree of confidence.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.