What is cheese.exe?
cheese.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected cheese.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
VirusTotal report
53 of the 67 anti-virus programs at VirusTotal detected the cheese.exe file. That's a 79% detection rate.
| Scanner | Detection Name |
|---|---|
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Johnnie.91549 |
| AegisLab | Trojan.Win32.Inject.4!c |
| AhnLab-V3 | Malware/Win32.Suspicious.C680702 |
| Alibaba | Trojan:Win32/Inject.95f5db23 |
| ALYac | Gen:Variant.Johnnie.91549 |
| Antiy-AVL | Trojan/Win32.Inject |
| Arcabit | Trojan.Johnnie.D1659D |
| Avast | Win32:Malware-gen |
| AVG | Win32:Malware-gen |
| Avira | HEUR/AGEN.1009050 |
| BitDefender | Gen:Variant.Johnnie.91549 |
| Bkav | HW32.Packed. |
| CAT-QuickHeal | Worm.WBNA.BA3 |
| Comodo | Malware@#2fj0khuk0x05s |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.170b69 |
| Cyren | W32/Trojan.NGBG-8291 |
| DrWeb | Trojan.PWS.Multi.1911 |
| eGambit | Generic.Dropper |
| Emsisoft | Gen:Variant.Johnnie.91549 (B) |
| Endgame | malicious (high confidence) |
| ESET-NOD32 | a variant of Win32/Injector.BOWA |
| FireEye | Generic.mg.648748b170b6931d |
| Fortinet | W32/Generic.AC.2C907!tr |
| GData | Gen:Variant.Johnnie.91549 |
| Ikarus | Trojan.Win32.Inject |
| Invincea | heuristic |
| Jiangmin | Trojan/Neurevt.fs |
| K7AntiVirus | Trojan ( 004b15f71 ) |
| K7GW | Trojan ( 004b15f71 ) |
| Kaspersky | Trojan.Win32.Inject.thhp |
| Malwarebytes | Backdoor.CyberGate |
| MAX | malware (ai score=84) |
| McAfee | Artemis!648748B170B6 |
| McAfee-GW-Edition | BehavesLike.Win32.VBObfus.gc |
| Microsoft | Backdoor:Win32/Bergat.A |
| MicroWorld-eScan | Gen:Variant.Johnnie.91549 |
| NANO-Antivirus | Trojan.Win32.Inject.djgfmv |
| Paloalto | generic.ml |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM03.0.Malware.Gen |
| Rising | Trojan.Bagsu!8.3B1 (CLOUD) |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/Generic-S |
| Tencent | Win32.Trojan.Inject.Wogd |
| Trapmine | malicious.moderate.ml.score |
| TrendMicro-HouseCall | TROJ_INJECTOR.TFE708 |
| VBA32 | Trojan.Inject |
| VIPRE | Trojan.Win32.Generic!BT |
| Yandex | Trojan.Inject!y5NHfsbwMvI |
| Zillya | Trojan.Neurevt.Win32.569 |
| ZoneAlarm | Trojan.Win32.Inject.thhp |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.svr",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\x.html"
],
"directory_created": [
"C:\\Windows\\InstallDir\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\"
],
"dll_loaded": [
"netutils.dll",
"urlmon.dll",
"KERNEL32",
"ntdll",
"kernel32.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"PROPSYS.dll",
"kernel32",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"OLEAUT32.DLL",
"C:\\Windows\\system32\\VB6ES",
"advapi32.dll",
"ole32.dll",
"wininet.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\kernel32.dll",
"Shell32.dll",
"CLBCatQ.DLL",
"SXS.DLL",
"USER32",
"rpcrt4.dll",
"SETUPAPI.dll",
"user32.dll"
],
"file_opened": [
"C:\\Windows\\InstallDir\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo",
"C:\\Windows\\InstallDir\\Server.exe"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"C:\\Windows\\InstallDir\\Server.exe"
]
],
"regkey_opened": [
"HKEY_CURRENT_USER\\SOFTWARE\\CyberGate",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\shell\\open",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\Progid",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\FirefoxHTML-E7CF176E110C211B",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocHandler32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Help",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3",
"HKEY_CURRENT_USER\\SOFTWARE\\6VKy0t7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\shell",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\(Default)",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Scripting.FileSystemObject\\CLSID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.HTM\\(Default)",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\CurVer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.HTM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\VBA\\Monitors",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"HKEY_CLASSES_ROOT\\htmlfile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CLASSES_ROOT\\.HTM\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\HTML Help",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\shell\\open\\command",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.HTM\\UserChoice",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Scripting.FileSystemObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.HTM\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocServer32",
"HKEY_CLASSES_ROOT\\.HTM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\TreatAs"
],
"command_line": [
"explorer.exe",
"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"\"C:\\Windows\\InstallDir\\Server.exe\" ",
"C:\\Windows\\InstallDir\\Server.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"svchost.exe"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.svr",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\x.html"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Roaming\\",
"C:\\",
"C:\\Users\\cuck\\",
"C:\\Windows\\Help\\.HLP",
"C:\\Windows\\InstallDir\\Server.exe",
"Volume{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"C:\\Windows\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\",
"C:\\Users\\",
"C:\\Windows\\System32\\C_932.NLS",
"C:\\Windows\\System32\\C_950.NLS",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\",
"C:\\Windows\\InstallDir\\",
"C:\\Windows\\System32\\C_936.NLS",
"C:\\Windows\\System32\\.HLP",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\x.html",
"C:\\Windows\\System32\\C_949.NLS",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.svr",
"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"C:\\Users\\cuck\\AppData\\"
],
"mutex": [
"6VKy0t7",
"CYBERGATEUPDATE",
"6VKy0t7PERSIST"
],
"file_failed": [
"C:\\Windows\\WINHELP.INI"
],
"guid": [
"{00000000-0000-0000-c000-000000000046}",
"{0d43fe01-f093-11cf-8940-00a0c9054228}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo",
"C:\\Windows\\InstallDir\\Server.exe"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.TrggvatFgnegrq",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\fqpyg.rkr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\gnfxzte.rkr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\fyhv.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.PbagebyCnary",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.JvaqbjfVafgnyyre",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocServer32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\zfvrkrp.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\GnfxOne\\Jvaqbjf Rkcybere.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Jvaqbjf Snk naq Fpna.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Npprffbevrf\\Erzbgr Qrfxgbc Pbaarpgvba.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Clguba27\\clguba.rkr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\GnfxOne\\Sversbk.yax",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\IsShortcut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\phpx\\NccQngn\\Ybpny\\Grzc\\7mF0N5PN977\\frghc-fgho.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\qvfcynlfjvgpu.rkr",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\shell\\open\\command\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Npprffbevrf\\qvfcynlfjvgpu.yax",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocServer32\\InprocServer32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\KCF Ivrjre.yax",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\949",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\932",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\\Npprffbevrf\\Npprffvovyvgl\\Zntavsl.yax",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap\\.htm",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\phpx\\NccQngn\\Ybpny\\Grzc\\7mFP11QQSS6\\frghc-fgho.rkr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\HfreNppbhagPbagebyFrggvatf.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\kcfepuij.rkr",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\NoStaticDefaultVerb",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\HTML Help\\.HLP",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\zfcnvag.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Start_MinMFU",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Npprffbevrf\\Jrypbzr Pragre.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Npprffbevrf\\Favccvat Gbby.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\FavccvatGbby.rkr",
"HKEY_CURRENT_USER\\Software\\6VKy0t7\\LastSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\GnfxOne\\Vagrearg Rkcybere.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\phpx\\NccQngn\\Ybpny\\Grzc\\7mFP4O4RQS4\\frghc-fgho.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JSF.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Npprffbevrf\\Cnvag.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.CubgbIvrjre",
"HKEY_CURRENT_USER\\.HTM\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\phpx\\Qbjaybnqf\\Sversbk Vafgnyyre-fr.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pnyp.rkr",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\shell\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Npprffbevrf\\Fgvpxl Abgrf.yax",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\ProgID\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.VagreargRkcybere.Qrsnhyg",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\950",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Scripting.FileSystemObject\\CLSID\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.PbagebyCnary.Gnfxone",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\shell\\open\\NeverDefault",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\phpx\\NccQngn\\Ybpny\\Grzc\\7mFPN5SN224\\frghc-fgho.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Npprffbevrf\\Pnyphyngbe.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\zntavsl.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.FgvpxlAbgrf",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.HTM\\UserChoice\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\rkcybere.rkr",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\936",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\phpx\\Qbjaybnqf\\Sversbk Vafgnyyre.rkr",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\R7PS176R110P211O"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.svr",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo",
"C:\\Windows\\InstallDir\\Server.exe"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\HKCU",
"HKEY_CURRENT_USER\\Software\\6VKy0t7\\InstalledServer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\HKLM",
"HKEY_CURRENT_USER\\Software\\6VKy0t7\\ServerStarted"
]
}Dropped
[
{
"yara": [],
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"name": "e3b0c44298fc1c14_x.html",
"type": "empty",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"urls": [],
"crc32": "00000000",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/6098\/files\/e3b0c44298fc1c14_x.html",
"ssdeep": null,
"size": 0,
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"yara": [],
"sha1": "bc69a773f37b2f2071e25f755a66d47b871e5d98",
"name": "3b271649a94ad5be_6vky0t7.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.dat",
"type": "ISO-8859 text, with no line terminators",
"sha256": "3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde",
"urls": [],
"crc32": "769A4DCD",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/6098\/files\/3b271649a94ad5be_6vky0t7.dat",
"ssdeep": null,
"size": 2,
"sha512": "d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02",
"pids": [
856
],
"md5": "93e00066d099c0485cfffa1359246d26"
},
{
"yara": [],
"sha1": "8685cf4d93658ebb216fa5e8760b878ae92a8b47",
"name": "1269952d8645b416_6VKy0t7.nfo",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo",
"type": "data",
"sha256": "1269952d8645b416f7e901e7eb5bb10388573e886c8c5c77fd93f0f48f2dea25",
"urls": [],
"crc32": "F6CA4690",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/6098\/files\/1269952d8645b416_6VKy0t7.nfo",
"ssdeep": null,
"size": 3604,
"sha512": "d5ff6798e608b4fc7a6a2610645195c5017eccdffe54861d5ec187da05e61b54a516d10732a12f1a513704a1858d5c648d48cec1493ea2d777a2222cb4a2857b",
"pids": [
856,
2360
],
"md5": "5c1639f0aa5c78f4d322c6cc2382a69b"
},
{
"yara": [],
"sha1": "913292f6b83adf41337fd50201ad341500abc8b0",
"name": "2663fdfe0fe4c375_6vky0t7.svr",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.svr",
"type": "data",
"sha256": "2663fdfe0fe4c37532f919282d035579bf84a895be5971982437cffbd41bdb1b",
"urls": [],
"crc32": "8E808950",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/6098\/files\/2663fdfe0fe4c375_6vky0t7.svr",
"ssdeep": null,
"size": 367134,
"sha512": "09bed3adc8427e4aeec4e32dfd0640da71d2839b62973e4bae94f0965c5836028511295d99be878af388789fc020117972c3cf51d5a2ef1899aeb9d43c2fd94e",
"pids": [
856
],
"md5": "ad69242f4bf9548496051bd95ac05e1e"
}
]Generic
[
{
"process_path": "C:\\Windows\\InstallDir\\Server.exe",
"process_name": "Server.exe",
"pid": 2056,
"summary": {
"dll_loaded": [
"KERNEL32",
"SXS.DLL",
"ntdll",
"kernel32",
"USER32",
"OLEAUT32.DLL",
"C:\\Windows\\system32\\kernel32.dll",
"C:\\Windows\\system32\\VB6ES",
"dwmapi.dll",
"CLBCatQ.DLL",
"OLEAUT32.dll"
],
"file_opened": [
"C:\\Windows\\InstallDir\\Server.exe"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocHandler32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocHandler",
"HKEY_CURRENT_USER\\Scripting.FileSystemObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\HTML Help",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\VBA\\Monitors",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Help",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3",
"HKEY_CURRENT_USER\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Scripting.FileSystemObject\\CLSID",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\TreatAs"
],
"command_line": [
"C:\\Windows\\InstallDir\\Server.exe"
],
"file_exists": [
"C:\\Windows\\System32\\C_936.NLS",
"C:\\Windows\\System32\\C_932.NLS",
"C:\\Windows\\System32\\.HLP",
"C:\\Windows\\System32\\C_949.NLS",
"C:\\Windows\\Help\\.HLP",
"C:\\Windows\\System32\\C_950.NLS",
"C:\\Windows\\InstallDir\\Server.exe"
],
"file_failed": [
"C:\\Windows\\WINHELP.INI"
],
"guid": [
"{00000000-0000-0000-c000-000000000046}",
"{0d43fe01-f093-11cf-8940-00a0c9054228}"
],
"file_read": [
"C:\\Windows\\InstallDir\\Server.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\ProgID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\HTML Help\\.HLP",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\950",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Scripting.FileSystemObject\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\949",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\932",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\936",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"directory_enumerated": [
"C:\\Windows\\InstallDir\\Server.exe"
]
},
"first_seen": 1584248004.343124,
"ppid": 856
},
{
"process_path": "C:\\Windows\\InstallDir\\Server.exe",
"process_name": "Server.exe",
"pid": 2360,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo"
],
"dll_loaded": [
"rpcrt4.dll",
"ole32.dll",
"SETUPAPI.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\SOFTWARE\\CyberGate",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo"
],
"mutex": [
"6VKy0t7",
"CYBERGATEUPDATE"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo"
]
},
"first_seen": 1584248006.171249,
"ppid": 2056
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"process_name": "53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"pid": 2676,
"summary": {
"dll_loaded": [
"KERNEL32",
"SXS.DLL",
"ntdll",
"kernel32",
"USER32",
"OLEAUT32.DLL",
"C:\\Windows\\system32\\kernel32.dll",
"C:\\Windows\\system32\\VB6ES",
"dwmapi.dll",
"CLBCatQ.DLL",
"OLEAUT32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocHandler32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocHandler",
"HKEY_CURRENT_USER\\Scripting.FileSystemObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\HTML Help",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\VBA\\Monitors",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Help",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3",
"HKEY_CURRENT_USER\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Scripting.FileSystemObject\\CLSID",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\TreatAs"
],
"command_line": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin"
],
"file_exists": [
"C:\\Windows\\System32\\C_936.NLS",
"C:\\Windows\\System32\\C_932.NLS",
"C:\\Windows\\System32\\.HLP",
"C:\\Windows\\System32\\C_949.NLS",
"C:\\Windows\\Help\\.HLP",
"C:\\Windows\\System32\\C_950.NLS",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin"
],
"file_failed": [
"C:\\Windows\\WINHELP.INI"
],
"guid": [
"{00000000-0000-0000-c000-000000000046}",
"{0d43fe01-f093-11cf-8940-00a0c9054228}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\ProgID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\HTML Help\\.HLP",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\950",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Scripting.FileSystemObject\\CLSID\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\949",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\932",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage\\936",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin"
]
},
"first_seen": 1584247986.515625,
"ppid": 2724
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1584247986.3125,
"ppid": 376
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"process_name": "53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"pid": 856,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.svr",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\x.html"
],
"directory_created": [
"C:\\Windows\\InstallDir\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\"
],
"dll_loaded": [
"netutils.dll",
"urlmon.dll",
"PROPSYS.dll",
"kernel32.dll",
"wininet.dll",
"Shell32.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"C:\\Windows\\system32\\ole32.dll",
"advapi32.dll",
"rpcrt4.dll",
"ole32.dll",
"SETUPAPI.dll",
"user32.dll"
],
"file_opened": [
"C:\\Windows\\InstallDir\\",
"C:\\Windows\\InstallDir\\Server.exe"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"C:\\Windows\\InstallDir\\Server.exe"
]
],
"regkey_opened": [
"HKEY_CURRENT_USER\\SOFTWARE\\CyberGate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\FirefoxHTML-E7CF176E110C211B",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CLASSES_ROOT\\.HTM",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\shell\\open",
"HKEY_CURRENT_USER\\SOFTWARE\\6VKy0t7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\shell",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\(Default)",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_CLASSES_ROOT\\.HTM\\OpenWithProgids",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.HTM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.HTM\\(Default)",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\shell\\open\\command",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.HTM\\UserChoice",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\CurVer",
"HKEY_CLASSES_ROOT\\htmlfile",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.HTM\\OpenWithProgids"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.svr",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\x.html"
],
"file_exists": [
"C:\\Windows\\InstallDir\\",
"C:\\Users\\cuck\\AppData\\Roaming\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\",
"C:\\",
"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"C:\\Users\\",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.svr",
"C:\\Windows\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\",
"C:\\Windows\\InstallDir\\Server.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\x.html",
"C:\\Users\\cuck\\AppData\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo",
"Volume{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\"
],
"mutex": [
"6VKy0t7",
"CYBERGATEUPDATE",
"6VKy0t7PERSIST"
],
"command_line": [
"C:\\Windows\\InstallDir\\Server.exe",
"explorer.exe",
"svchost.exe",
"\"C:\\Windows\\InstallDir\\Server.exe\" ",
"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.TrggvatFgnegrq",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\fqpyg.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\fyhv.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\gnfxzte.rkr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.PbagebyCnary",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.JvaqbjfVafgnyyre",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Npprffbevrf\\Fgvpxl Abgrf.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\zfvrkrp.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\GnfxOne\\Jvaqbjf Rkcybere.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Jvaqbjf Snk naq Fpna.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Npprffbevrf\\Erzbgr Qrfxgbc Pbaarpgvba.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Clguba27\\clguba.rkr",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\shell\\open\\command\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\GnfxOne\\Sversbk.yax",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\IsShortcut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\qvfcynlfjvgpu.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.VagreargRkcybere.Qrsnhyg",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Npprffbevrf\\qvfcynlfjvgpu.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\KCF Ivrjre.yax",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.CubgbIvrjre",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\\Npprffbevrf\\Npprffvovyvgl\\Zntavsl.yax",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap\\.htm",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\phpx\\NccQngn\\Ybpny\\Grzc\\7mFP11QQSS6\\frghc-fgho.rkr",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\HfreNppbhagPbagebyFrggvatf.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\kcfepuij.rkr",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\zfcnvag.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Npprffbevrf\\Jrypbzr Pragre.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Npprffbevrf\\Favccvat Gbby.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\FavccvatGbby.rkr",
"HKEY_CURRENT_USER\\Software\\6VKy0t7\\LastSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\GnfxOne\\Vagrearg Rkcybere.yax",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\phpx\\NccQngn\\Ybpny\\Grzc\\7mFP4O4RQS4\\frghc-fgho.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JSF.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.ErzbgrQrfxgbc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\.HTM\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\phpx\\Qbjaybnqf\\Sversbk Vafgnyyre-fr.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pnyp.rkr",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\shell\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\phpx\\NccQngn\\Ybpny\\Grzc\\7mF0N5PN977\\frghc-fgho.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\phpx\\NccQngn\\Ybpny\\Grzc\\7mFPN5SN224\\frghc-fgho.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.PbagebyCnary.Gnfxone",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\shell\\open\\NeverDefault",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Npprffbevrf\\Pnyphyngbe.yax",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\zntavsl.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\pzq.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.Jvaqbjf.FgvpxlAbgrf",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.HTM\\UserChoice\\Progid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count\\{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\Npprffbevrf\\Cnvag.yax",
"HKEY_CURRENT_USER\\FirefoxHTML-E7CF176E110C211B\\NoStaticDefaultVerb",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\rkcybere.rkr",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Start_MinMFU",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\P:\\Hfref\\phpx\\Qbjaybnqf\\Sversbk Vafgnyyre.rkr",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\R7PS176R110P211O"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.svr",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\6VKy0t7\\6VKy0t7.nfo"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\HKCU",
"HKEY_CURRENT_USER\\Software\\6VKy0t7\\InstalledServer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\HKLM",
"HKEY_CURRENT_USER\\Software\\6VKy0t7\\ServerStarted"
]
},
"first_seen": 1584247989.093124,
"ppid": 2676
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "Tries to locate where the browsers are installed",
"severity": 1,
"marks": [
{
"category": "file",
"ioc": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "locates_browser"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1584247989.312124,
"tid": 300,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 83
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 3,
"families": [],
"description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
"severity": 1,
"marks": [
{
"category": "section",
"ioc": ".text\\x00\\x10",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": ".data\\x00\\x02",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": ".rsrc\\x00\\x06",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_features"
},
{
"markcount": 2,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "E\nb\nG\ne\nt\nH\na\nn\nd\nl\ne\nO\nf\nE\nx\ne\nc\nu\nt\ni\nn\ng\nP\nr\no\nj\ne\nc\nt\n+\n0\nx\n2\n2\nb\n3\n \nr\nt\nc\nP\na\nc\nk\nD\na\nt\ne\n-\n0\nx\nb\na\n9\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nd\n0\nd\nc\nf\n \n@\n \n0\nx\n7\n2\na\n1\n0\nd\nc\nf\n\n\nr\nt\nc\nD\no\nE\nv\ne\nn\nt\ns\n+\n0\nx\n1\n3\n1\n \n_\n_\nv\nb\na\nE\nr\nr\no\nr\n-\n0\nx\n6\n2\n6\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nc\ne\n2\n2\n8\n \n@\n \n0\nx\n7\n2\na\n0\ne\n2\n2\n8",
"registers": {
"esp": 1636760,
"edi": 3766032,
"eax": 1636760,
"ebp": 1636840,
"edx": 0,
"ebx": 3766032,
"esi": 3766032,
"ecx": 2
},
"exception": {
"instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
"symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
"instruction": "leave",
"module": "KERNELBASE.dll",
"exception_code": "0xc000008f",
"offset": 46887,
"address": "0x75dbb727"
}
},
"time": 1584247989.000625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 301
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "E\nb\nG\ne\nt\nH\na\nn\nd\nl\ne\nO\nf\nE\nx\ne\nc\nu\nt\ni\nn\ng\nP\nr\no\nj\ne\nc\nt\n+\n0\nx\n2\n2\nb\n3\n \nr\nt\nc\nP\na\nc\nk\nD\na\nt\ne\n-\n0\nx\nb\na\n9\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nd\n0\nd\nc\nf\n \n@\n \n0\nx\n7\n2\na\n1\n0\nd\nc\nf\n\n\nr\nt\nc\nD\no\nE\nv\ne\nn\nt\ns\n+\n0\nx\n1\n3\n1\n \n_\n_\nv\nb\na\nE\nr\nr\no\nr\n-\n0\nx\n6\n2\n6\n \nm\ns\nv\nb\nv\nm\n6\n0\n+\n0\nx\nc\ne\n2\n2\n8\n \n@\n \n0\nx\n7\n2\na\n0\ne\n2\n2\n8",
"registers": {
"esp": 1636760,
"edi": 6321208,
"eax": 1636760,
"ebp": 1636840,
"edx": 0,
"ebx": 6321208,
"esi": 6321208,
"ecx": 2
},
"exception": {
"instruction_r": "c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b",
"symbol": "RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727",
"instruction": "leave",
"module": "KERNELBASE.dll",
"exception_code": "0xc000008f",
"offset": 46887,
"address": "0x75dbb727"
}
},
"time": 1584248006.078124,
"tid": 1224,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 302
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 0,
"families": [],
"description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
"severity": 2,
"marks": [],
"references": [],
"name": "dumped_buffer"
},
{
"markcount": 12,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01c80000"
},
"time": 1584247986.937625,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 247
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01c90000"
},
"time": 1584247986.937625,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 249
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01ca0000"
},
"time": 1584247986.937625,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 251
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01cf0000"
},
"time": 1584247986.937625,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 253
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01d00000"
},
"time": 1584247986.937625,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 255
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01d10000"
},
"time": 1584247986.937625,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 257
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00420000"
},
"time": 1584248004.437124,
"tid": 1224,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 248
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00550000"
},
"time": 1584248004.437124,
"tid": 1224,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 250
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00560000"
},
"time": 1584248004.437124,
"tid": 1224,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 252
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00800000"
},
"time": 1584248004.437124,
"tid": 1224,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 254
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02480000"
},
"time": 1584248004.437124,
"tid": 1224,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 256
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2056,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02490000"
},
"time": 1584248004.437124,
"tid": 1224,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2056,
"type": "call",
"cid": 258
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "Creates a suspicious process",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "svchost.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "suspicious_process"
},
{
"markcount": 1,
"families": [],
"description": "A process created a hidden window",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "ShellExecuteExW",
"return_value": 1,
"arguments": {
"parameters": "",
"filepath": "C:\\Windows\\InstallDir\\Server.exe",
"filepath_r": "C:\\Windows\\InstallDir\\Server.exe",
"show_type": 0
},
"time": 1584248004.281124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 804
}
],
"references": [],
"name": "stealth_window"
},
{
"markcount": 1,
"families": [],
"description": "Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"length": 24576,
"protection": 32,
"process_handle": "0xffffffff",
"base_address": "0x01be0000"
},
"time": 1584247986.781625,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READ"
}
},
"pid": 2676,
"type": "call",
"cid": 18
}
],
"references": [],
"name": "protection_rx"
},
{
"markcount": 36,
"families": [],
"description": "Terminates another process",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741664,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 0,
"process_handle": "0x00000164"
},
"time": 1584247996.140124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 302
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741664,
"api": "NtTerminateProcess",
"return_value": 3221225480,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 0,
"process_handle": "0x00000164"
},
"time": 1584247996.140124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 303
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2236,
"process_handle": "0x00000174"
},
"time": 1584247997.140124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 318
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2236,
"process_handle": "0x00000174"
},
"time": 1584247997.140124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 319
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -2147483642,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2268,
"process_handle": "0x00000164"
},
"time": 1584247997.297124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 332
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2268,
"process_handle": "0x00000164"
},
"time": 1584247997.297124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 333
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 3048,
"process_handle": "0x0000017c"
},
"time": 1584247997.937124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 347
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 3048,
"process_handle": "0x0000017c"
},
"time": 1584247997.937124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 348
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -2147483642,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 1348,
"process_handle": "0x00000188"
},
"time": 1584247998.078124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 361
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 1348,
"process_handle": "0x00000188"
},
"time": 1584247998.078124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 362
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 552,
"process_handle": "0x00000190"
},
"time": 1584247998.734124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 376
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 552,
"process_handle": "0x00000190"
},
"time": 1584247998.734124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 377
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -2147483642,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 3000,
"process_handle": "0x00000198"
},
"time": 1584247998.890124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 390
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 3000,
"process_handle": "0x00000198"
},
"time": 1584247998.890124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 391
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 608,
"process_handle": "0x000001a0"
},
"time": 1584247999.547124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 405
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 608,
"process_handle": "0x000001a0"
},
"time": 1584247999.547124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 406
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -2147483642,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 1092,
"process_handle": "0x000001a8"
},
"time": 1584247999.703124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 419
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 1092,
"process_handle": "0x000001a8"
},
"time": 1584247999.703124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 420
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2504,
"process_handle": "0x000001b0"
},
"time": 1584248000.359124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 434
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2504,
"process_handle": "0x000001b0"
},
"time": 1584248000.359124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 435
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -2147483642,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 1676,
"process_handle": "0x000001b8"
},
"time": 1584248000.515124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 448
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 1676,
"process_handle": "0x000001b8"
},
"time": 1584248000.515124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 449
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2752,
"process_handle": "0x000001c0"
},
"time": 1584248001.172124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 463
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2752,
"process_handle": "0x000001c0"
},
"time": 1584248001.172124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 464
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -2147483642,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 3020,
"process_handle": "0x000001c8"
},
"time": 1584248001.328124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 477
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 3020,
"process_handle": "0x000001c8"
},
"time": 1584248001.328124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 478
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2248,
"process_handle": "0x000001d0"
},
"time": 1584248001.984124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 492
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2248,
"process_handle": "0x000001d0"
},
"time": 1584248001.984124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 493
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -2147483642,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2868,
"process_handle": "0x000001d8"
},
"time": 1584248002.125124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 506
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2868,
"process_handle": "0x000001d8"
},
"time": 1584248002.125124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 507
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2668,
"process_handle": "0x000001e0"
},
"time": 1584248002.781124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 521
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2668,
"process_handle": "0x000001e0"
},
"time": 1584248002.781124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 522
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -2147483642,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2312,
"process_handle": "0x000001e8"
},
"time": 1584248002.937124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 535
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2312,
"process_handle": "0x000001e8"
},
"time": 1584248002.937124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 536
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741811,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2308,
"process_handle": "0x000001f0"
},
"time": 1584248003.093124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 550
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2308,
"process_handle": "0x000001f0"
},
"time": 1584248003.093124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 551
}
],
"references": [],
"name": "terminates_remote_process"
},
{
"markcount": 2,
"families": [],
"description": "One or more of the buffers contains an embedded PE file",
"severity": 3,
"marks": [
{
"category": "buffer",
"ioc": "Buffer with sha1: 28ed533cbf5c76005356fdb12535242529017aae",
"type": "ioc",
"description": null
},
{
"category": "buffer",
"ioc": "Buffer with sha1: 2f70fcc9396f60d8f9b137cf138d75387e143ad6",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "dumped_buffer2"
},
{
"markcount": 12,
"families": [],
"description": "Allocates execute permission to another process indicative of possible code injection",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 856,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x000000f8",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2676,
"type": "call",
"cid": 265
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1616,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000168",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247994.468124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 199
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2184,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000164",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247995.125124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 296
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247996.640124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 313
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247997.437124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 342
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247998.234124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 371
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247999.047124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 400
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247999.859124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 429
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584248000.672124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 458
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584248001.484124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 487
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584248002.281124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 516
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2360,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x000000f8",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584248004.453124,
"tid": 1224,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2056,
"type": "call",
"cid": 266
}
],
"references": [],
"name": "allocates_execute_remote_process"
},
{
"markcount": 2,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\HKLM",
"reg_value": "C:\\Windows\\InstallDir\\Server.exe"
},
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\HKCU",
"reg_value": "C:\\Windows\\InstallDir\\Server.exe"
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 1,
"families": [
"cybergate"
],
"description": "Creates known Cybergate files, registry keys and\/or mutexes",
"severity": 3,
"marks": [
{
"category": "regkey",
"ioc": "HKEY_CURRENT_USER\\SOFTWARE\\CyberGate",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "cybergate"
},
{
"markcount": 4,
"families": [],
"description": "Creates a thread using CreateRemoteThread in a non-child process indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 856 created a remote thread in non-child process 1616",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateRemoteThread",
"return_value": 364,
"arguments": {
"thread_identifier": 2572,
"process_identifier": 1616,
"function_address": "0x00407868",
"flags": 0,
"process_handle": "0x00000168",
"parameter": "0x0040e674",
"stack_size": 0
},
"time": 1584247994.797124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 201
},
{
"category": "Process injection",
"ioc": "Process 856 created a remote thread in non-child process 2184",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateRemoteThread",
"return_value": 384,
"arguments": {
"thread_identifier": 264,
"process_identifier": 2184,
"function_address": "0x00407e7c",
"flags": 0,
"process_handle": "0x00000164",
"parameter": "0x0040fcb0",
"stack_size": 0
},
"time": 1584247995.140124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 298
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_createremotethread"
},
{
"markcount": 13,
"families": [],
"description": "Manipulates memory of a non-child process indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 856 manipulating memory of non-child process 1616",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1616,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000168",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247994.468124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 199
},
{
"category": "Process injection",
"ioc": "Process 856 manipulating memory of non-child process 2184",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2184,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000164",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247995.125124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 296
},
{
"category": "Process injection",
"ioc": "Process 856 manipulating memory of non-child process 0",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247996.640124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 313
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247997.437124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 342
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247998.234124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 371
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247999.047124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 400
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247999.859124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 429
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584248000.672124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 458
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584248001.484124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 487
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584248002.281124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 516
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_modifies_memory"
},
{
"markcount": 16,
"families": [],
"description": "Potential code injection by writing to the memory of another process",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "MZP\u0000\u0002\u0000\u0000\u0000\u0004\u0000\u000f\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u001a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u00ba\u0010\u0000\u000e\u001f\u00b4\t\u00cd!\u00b8\u0001L\u00cd!\u0090\u0090This program must be run under Win32\r\n$7\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\b\u0000\u0019^B*\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u008e\u0081\u000b\u0001\u0002\u0019\u0000\u0088\u0000\u0000\u0000\u00ca\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0086\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u00a0\u0000\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0006\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0010\u0000\u0000\u0000\u0010\u0000\u0000@\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000h\r\u0000\u0000\u0000@\u0001\u0000T\u00aa\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00000\u0001\u0000\b\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0001\u0000\u0018\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000CODE\u0000\u0000\u0000\u0000d\u0087\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0088\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`DATA\u0000\u0000\u0000\u00000\u0001\u0000\u0000\u0000\u00a0\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u008c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0BSS\u0000\u0000\u0000\u0000\u0000\u00edN\u0000\u0000\u0000\u00b0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u008e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0.idata\u0000\u0000h\r\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0000\u0000\u008e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.tls\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0010\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0.rdata\u0000\u0000\u0018\u0000\u0000\u0000\u0000 \u0001\u0000\u0000\u0002\u0000\u0000\u0000\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P.reloc\u0000\u0000\b\n\u0000\u0000\u00000\u0001\u0000\u0000\f\u0000\u0000\u0000\u009e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P.rsrc\u0000\u0000\u0000T\u00aa\u0005\u0000\u0000@\u0001\u0000\u0000\u00ac\u0005\u0000\u0000\u00aa\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00ac\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00400000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 267
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00002\u0013\u008b\u00c0\u0000\u008d@\u0000\u0000\u008d@\u0000\u0000\u008d@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000L\"@\u0000\u00d0\u001f@\u0000\u00d0\u001f@\u0000T\u0015@\u0000 \u0015@\u0000\u00d0\u001f@\u0000\u00d0\u001f@\u0000\u0000\u0000\u0000\u0000\u00b0\u0010@\u0000\u00c4\u0010@\u0000\u00e8\u0010@\u0000\u0000\u00cb\u00cc\u00c8\u00c9\u00d7\u00cf\u00c8\u00cd\u00ce\u00db\u00d8\u00ca\u00d9\u00da\u00dc\u00dd\u00de\u00df\u00e0\u00e1\u00e3\u0000\u00e4\u00e5\u008d@\u0000\u00d0\u001f@\u0000\u00d0\u001f@\u0000\u0010#@\u0000\u00ff\u00ff\u00ff\u00ff\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0004\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000=@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u008d@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u008d@\u0000\u0000\u008d@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u008d@\u0000\u0000\u008d@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a0@\u0000\u00ec\u00c4@\u0000\u0090\u00b6@\u0000\u00e8\u00c4@\u0000\u00f8\u00c4@\u0000\u00e4\u00c4@\u0000\u00a4\u00c4@\u0000\u00c0\u00c4@\u0000\u00c8\u00c4@\u0000\f\u00d3@\u0000\u00dc\u00c4@\u0000\u00e0\u00c4@\u0000\u00bc\u00a0@\u0000\u0018\u00a0@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x0040a000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 274
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741583,
"api": "WriteProcessMemory",
"return_value": 0,
"arguments": {
"process_identifier": 856,
"buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0003\u0001\u0000,\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a4\u0004\u0001\u0000t\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ec\u0004\u0001\u0000\u0084\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0005\u0001\u0000\u00a0\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a2\t\u0001\u0000\u009c\u0002\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Z\u000b\u0001\u0000\u0000\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000v\u000b\u0001\u0000\b\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e8\u000b\u0001\u0000 \u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\n\f\u0001\u0000(\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.\f\u0001\u00000\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000|\f\u0001\u0000@\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u009e\f\u0001\u0000H\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00de\f\u0001\u0000X\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000L\r\u0001\u0000p\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0086\u0003\u0001\u0000\u009c\u0003\u0001\u0000\u00b2\u0003\u0001\u0000\u00c8\u0003\u0001\u0000\u00d6\u0003\u0001\u0000\u00f2\u0003\u0001\u0000\u00fe\u0003\u0001\u0000\u0010\u0004\u0001\u0000 \u0004\u0001\u0000.\u0004\u0001\u0000<\u0004\u0001\u0000J\u0004\u0001\u0000^\u0004\u0001\u0000l\u0004\u0001\u0000x\u0004\u0001\u0000\u0086\u0004\u0001\u0000\u0092\u0004\u0001\u0000\u0000\u0000\u0000\u0000\u00b2\u0004\u0001\u0000\u00c2\u0004\u0001\u0000\u00d8\u0004\u0001\u0000\u0000\u0000\u0000\u0000\u00fa\u0004\u0001\u0000\f\u0005\u0001\u0000 \u0005\u0001\u00000\u0005\u0001\u0000B\u0005\u0001\u0000R\u0005\u0001\u0000\u0000\u0000\u0000\u0000n\u0005\u0001\u0000z\u0005\u0001\u0000\u0090\u0005\u0001\u0000\u009c\u0005\u0001\u0000\u00b2\u0005\u0001\u0000\u00c6\u0005\u0001\u0000\u00d6\u0005\u0001\u0000\u00e4\u0005\u0001\u0000\u00f6\u0005\u0001\u0000\u0006\u0006\u0001\u0000\u0018\u0006\u0001\u0000,\u0006\u0001\u0000D\u0006\u0001\u0000L\u0006\u0001\u0000^\u0006\u0001\u0000r\u0006\u0001\u0000\u0086\u0006\u0001\u0000\u0094\u0006\u0001\u0000\u00a6\u0006\u0001\u0000\u00bc\u0006\u0001\u0000\u00cc\u0006\u0001\u0000\u00dc\u0006\u0001\u0000\u00ec\u0006\u0001\u0000\u0000\u0007\u0001\u0000",
"process_handle": "0x000000f8",
"base_address": "0x0040b000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 277
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0003\u0001\u0000,\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a4\u0004\u0001\u0000t\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ec\u0004\u0001\u0000\u0084\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0005\u0001\u0000\u00a0\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a2\t\u0001\u0000\u009c\u0002\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Z\u000b\u0001\u0000\u0000\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000v\u000b\u0001\u0000\b\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e8\u000b\u0001\u0000 \u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\n\f\u0001\u0000(\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.\f\u0001\u00000\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000|\f\u0001\u0000@\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u009e\f\u0001\u0000H\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00de\f\u0001\u0000X\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000L\r\u0001\u0000p\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0086\u0003\u0001\u0000\u009c\u0003\u0001\u0000\u00b2\u0003\u0001\u0000\u00c8\u0003\u0001\u0000\u00d6\u0003\u0001\u0000\u00f2\u0003\u0001\u0000\u00fe\u0003\u0001\u0000\u0010\u0004\u0001\u0000 \u0004\u0001\u0000.\u0004\u0001\u0000<\u0004\u0001\u0000J\u0004\u0001\u0000^\u0004\u0001\u0000l\u0004\u0001\u0000x\u0004\u0001\u0000\u0086\u0004\u0001\u0000\u0092\u0004\u0001\u0000\u0000\u0000\u0000\u0000\u00b2\u0004\u0001\u0000\u00c2\u0004\u0001\u0000\u00d8\u0004\u0001\u0000\u0000\u0000\u0000\u0000\u00fa\u0004\u0001\u0000\f\u0005\u0001\u0000 \u0005\u0001\u00000\u0005\u0001\u0000B\u0005\u0001\u0000R\u0005\u0001\u0000\u0000\u0000\u0000\u0000n\u0005\u0001\u0000z\u0005\u0001\u0000\u0090\u0005\u0001\u0000\u009c\u0005\u0001\u0000\u00b2\u0005\u0001\u0000\u00c6\u0005\u0001\u0000\u00d6\u0005\u0001\u0000\u00e4\u0005\u0001\u0000\u00f6\u0005\u0001\u0000\u0006\u0006\u0001\u0000\u0018\u0006\u0001\u0000,\u0006\u0001\u0000D\u0006\u0001\u0000L\u0006\u0001\u0000^\u0006\u0001\u0000r\u0006\u0001\u0000\u0086\u0006\u0001\u0000\u0094\u0006\u0001\u0000\u00a6\u0006\u0001\u0000\u00bc\u0006\u0001\u0000\u00cc\u0006\u0001\u0000\u00dc\u0006\u0001\u0000\u00ec\u0006\u0001\u0000\u0000\u0007\u0001\u0000\f\u0007\u0001\u0000\u001a\u0007\u0001\u0000*\u0007\u0001\u0000D\u0007\u0001\u0000T\u0007\u0001\u0000d\u0007\u0001\u0000t\u0007\u0001\u0000\u0082\u0007\u0001\u0000\u0090\u0007\u0001\u0000\u00a8\u0007\u0001\u0000\u00ba\u0007\u0001\u0000\u00ce\u0007\u0001\u0000\u00de\u0007\u0001\u0000\u00f4\u0007\u0001\u0000\u0006\b\u0001\u0000\u001a\b\u0001\u00000\b\u0001\u0000@\b\u0001\u0000P\b\u0001\u0000^\b\u0001\u0000t\b\u0001\u0000\u0086\b\u0001\u0000\u009c\b\u0001\u0000\u00b0\b\u0001\u0000\u00c2\b\u0001\u0000\u00d2\b\u0001\u0000\u00e0\b\u0001\u0000\u00f0\b\u0001\u0000\u0002\t\u0001\u0000\u0010\t\u0001\u0000\u001e\t\u0001\u0000.\t\u0001\u0000D\t\u0001\u0000V\t\u0001\u0000f\t\u0001\u0000t\t\u0001\u0000\u0088\t\u0001\u0000\u0094\t\u0001\u0000\u0000\u0000\u0000\u0000\u00ae\t\u0001\u0000\u00c4\t\u0001\u0000\u00d2\t\u0001\u0000\u00e6\t\u0001\u0000\u00fc\t\u0001\u0000\f\n\u0001\u0000\u001e\n\u0001\u0000.\n\u0001\u0000>\n\u0001\u0000L\n\u0001\u0000^\n\u0001\u0000z\n\u0001\u0000\u008c\n\u0001\u0000\u009c\n\u0001\u0000\u00b0\n\u0001\u0000\u00be\n\u0001\u0000\u00d4\n\u0001\u0000\u00e8\n\u0001\u0000\u00fc\n\u0001\u0000\u000e\u000b\u0001\u0000 \u000b\u0001\u0000.\u000b\u0001\u0000:\u000b\u0001\u0000H\u000b\u0001\u0000\u0000\u0000\u0000\u0000f\u000b\u0001\u0000\u0000\u0000\u0000\u0000\u0082\u000b\u0001\u0000\u009a\u000b\u0001\u0000\u00b8\u000b\u0001\u0000\u00c6\u000b\u0001\u0000\u00d8\u000b\u0001\u0000\u0000\u0000\u0000\u0000\u00f4\u000b\u0001\u0000\u0000\u0000\u0000\u0000\u0016\f\u0001\u0000\u0000\u0000\u0000\u0000<\f\u0001\u0000N\f\u0001\u0000`\f\u0001\u0000\u0000\u0000\u0000\u0000\u0086\f\u0001\u0000\u0000\u0000\u0000\u0000\u00aa\f\u0001\u0000\u00bc\f\u0001\u0000\u00ca\f\u0001\u0000\u0000\u0000\u0000\u0000\u00ea\f\u0001\u0000\u0000\r\u0001\u0000\u000e\r\u0001\u0000(\r\u0001\u00008\r\u0001\u0000\u0000\u0000\u0000\u0000X\r\u0001\u0000\u0000\u0000\u0000\u0000kernel32.dll\u0000\u0000\u0000\u0000GetCurrentThreadId\u0000\u0000\u0000\u0000WideCharToMultiByte\u0000\u0000\u0000MultiByteToWideChar\u0000\u0000\u0000ExitProcess\u0000\u0000\u0000UnhandledExceptionFilter\u0000\u0000\u0000\u0000RtlUnwind\u0000\u0000\u0000RaiseException\u0000\u0000\u0000\u0000GetSystemTime\u0000\u0000\u0000TlsSetValue\u0000\u0000\u0000TlsGetValue\u0000\u0000\u0000LocalAlloc\u0000\u0000\u0000\u0000GetModuleHandleA\u0000\u0000\u0000\u0000FreeLibrary\u0000\u0000\u0000HeapFree\u0000\u0000\u0000\u0000HeapReAlloc\u0000\u0000\u0000HeapAlloc\u0000\u0000\u0000GetProcessHeap\u0000\u0000oleaut32.dll\u0000\u0000\u0000\u0000SysFreeString\u0000\u0000\u0000SysReAllocStringLen\u0000\u0000\u0000SysAllocStringLen\u0000advapi32.dll\u0000\u0000\u0000\u0000RegSetValueExW\u0000\u0000\u0000\u0000RegQueryValueExW\u0000\u0000\u0000\u0000RegOpenKeyExW\u0000\u0000\u0000RegCreateKeyExW\u0000\u0000\u0000RegCreateKeyW\u0000\u0000\u0000RegCloseKey\u0000kernel32.dll\u0000\u0000\u0000\u0000lstrlenW\u0000\u0000\u0000\u0000WriteProcessMemory\u0000\u0000\u0000\u0000WriteFile\u0000\u0000\u0000WaitForSingleObject\u0000\u0000\u0000VirtualProtectEx\u0000\u0000\u0000\u0000VirtualFreeEx\u0000\u0000\u0000VirtualFree\u0000\u0000\u0000VirtualAllocEx\u0000\u0000\u0000\u0000VirtualAlloc\u0000\u0000\u0000\u0000TerminateThread\u0000\u0000\u0000TerminateProcess\u0000\u0000\u0000\u0000SystemTimeToFileTime\u0000\u0000\u0000\u0000Sleep\u0000\u0000\u0000SizeofResource\u0000\u0000\u0000\u0000SetThreadPriority\u0000\u0000\u0000SetThreadContext\u0000\u0000\u0000\u0000SetFileTime\u0000\u0000\u0000SetFilePointer\u0000\u0000\u0000\u0000SetFileAttributesW\u0000\u0000\u0000\u0000SetErrorMode\u0000\u0000\u0000\u0000SetEndOfFile\u0000\u0000\u0000\u0000ResumeThread\u0000\u0000\u0000\u0000ReadProcessMemory\u0000\u0000\u0000ReadFile\u0000\u0000\u0000\u0000OpenProcess\u0000\u0000\u0000LockResource\u0000\u0000\u0000\u0000LocalFileTimeToFileTime\u0000\u0000\u0000LoadResource\u0000\u0000\u0000\u0000LoadLibraryA\u0000\u0000\u0000\u0000GlobalUnlock\u0000\u0000\u0000\u0000GlobalSize\u0000\u0000\u0000\u0000GlobalLock\u0000\u0000\u0000\u0000GetWindowsDirectoryW\u0000\u0000\u0000\u0000GetTimeFormatW\u0000\u0000\u0000\u0000GetThreadContext\u0000\u0000\u0000\u0000GetTempPathW\u0000\u0000\u0000\u0000GetSystemDirectoryW\u0000\u0000\u0000GetProcAddress\u0000\u0000\u0000\u0000GetModuleHandleA\u0000\u0000\u0000\u0000GetModuleFileNameW\u0000\u0000\u0000\u0000GetLocalTime\u0000\u0000\u0000\u0000GetLastError\u0000\u0000\u0000\u0000GetFileSize\u0000\u0000\u0000GetFileAttributesW\u0000\u0000\u0000\u0000GetDateFormatW\u0000\u0000\u0000\u0000GetCurrentProcessId\u0000\u0000\u0000GetCurrentProcess\u0000\u0000\u0000GetCommandLineW\u0000\u0000\u0000FreeResource\u0000\u0000\u0000\u0000FreeLibrary\u0000\u0000\u0000FindResourceW\u0000\u0000\u0000FindFirstFileW\u0000\u0000\u0000\u0000ExitProcess\u0000\u0000\u0000DeleteFileW\u0000\u0000\u0000CreateThread\u0000\u0000\u0000\u0000CreateRemoteThread\u0000\u0000\u0000\u0000CreateProcessW\u0000\u0000\u0000\u0000CreateMutexW\u0000\u0000\u0000\u0000CreateFileW\u0000\u0000\u0000CreateDirectoryW\u0000\u0000\u0000\u0000CopyFileW\u0000\u0000\u0000CloseHandle\u0000user32.dll\u0000\u0000\u0000\u0000UnhookWindowsHookEx\u0000\u0000\u0000ShowWindow\u0000\u0000\u0000\u0000SetWindowsHookExW\u0000\u0000\u0000SetClipboardViewer\u0000\u0000\u0000\u0000SendMessageA\u0000\u0000\u0000\u0000RegisterClassW\u0000\u0000\u0000\u0000PostMessageA\u0000\u0000\u0000\u0000OpenClipboard\u0000\u0000\u0000MessageBoxW\u0000\u0000\u0000MapVirtualKeyW\u0000\u0000\u0000\u0000GetWindowThreadProcessId\u0000\u0000\u0000\u0000GetWindowTextW\u0000\u0000\u0000\u0000GetWindowRect\u0000\u0000\u0000GetKeyboardLayout\u0000\u0000\u0000GetKeyState\u0000\u0000\u0000GetForegroundWindow\u0000\u0000\u0000GetDesktopWindow\u0000\u0000\u0000\u0000GetClipboardData\u0000\u0000\u0000\u0000DefWindowProcA\u0000\u0000\u0000\u0000CloseClipboard\u0000\u0000\u0000\u0000CharUpperW\u0000\u0000\u0000\u0000CharNextW\u0000\u0000\u0000CharLowerW\u0000\u0000\u0000\u0000CallNextHookEx\u0000\u0000shlwapi.dll\u0000\u0000\u0000SHDeleteKeyW\u0000\u0000shell32.dll\u0000\u0000\u0000SHGetPathFromIDListW\u0000\u0000\u0000\u0000SHGetSpecialFolderLocation\u0000\u0000\u0000\u0000SHGetMalloc\u0000\u0000\u0000FindExecutableW\u0000\u0000\u0000ShellExecuteW\u0000urlmon.dll\u0000\u0000\u0000\u0000URLDownloadToFileW\u0000\u0000wininet.dll\u0000\u0000\u0000DeleteUrlCacheEntryW\u0000\u0000kernel32.dll\u0000\u0000\u0000\u0000Process32NextW\u0000\u0000\u0000\u0000Process32FirstW\u0000\u0000\u0000CreateToolhelp32Snapshot\u0000\u0000ntdll.dll\u0000\u0000\u0000NtUnmapViewOfSection\u0000\u0000user32.dll\u0000\u0000\u0000\u0000CreateWindowExW\u0000\u0000\u0000ToUnicodeEx\u0000\u0000\u0000GetKeyboardState\u0000\u0000wininet.dll\u0000\u0000\u0000InternetCloseHandle\u0000\u0000\u0000FtpPutFileW\u0000\u0000\u0000FtpSetCurrentDirectoryW\u0000\u0000\u0000InternetOpenW\u0000\u0000\u0000InternetConnectW\u0000\u0000shell32.dll\u0000\u0000\u0000ShellExecuteW\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00410000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 280
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741583,
"api": "WriteProcessMemory",
"return_value": 0,
"arguments": {
"process_identifier": 856,
"buffer": "\u0000\u0010A\u0000\b\u0010A\u0000x\u00a0@\u0000\u0010 A\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u00c4\u0000\u0000\u0000\u00000\u00120\u001a0\"0*020:0B0J0R0Z0b0j0r0z0\u00820\u008a0\u00920\u009a0\u00a20\u00aa0\u00b20\u00b80\u00c90\u00d20\u00eb0\u00f40\u00061\u001e1?1X1q1\u00821\u00971\u00a41\u00c41z2\u00a92\u00b42\u00c52\u00da2\u00f02\b3\u00163J3f3r3\u00863\u00b33\u00e03\u00e93\u001b4$4Y4`4\u00824\u00cf4%5_5e5v5\u00855\u008b5\u00995\u00a95\u00bc5\u00c65\u00ca5\u00d05\u00d45\u00d95\u00e05\u00e65\u00ee5\u00f45 6*6Q6V6[6}6\u00866\u009c6\u00b46\u00cf6\u00ee6\u00f76\u001d7*7};M?W?\u00f5?\u00fe?\u0000 \u0000\u0000D\u0001\u0000\u0000\t0\u000e0\u00160>2E2R2\u008b2\u00972\u009f2\u00a52\u00b22\u00c22\u00cf2\u00d52\u00d92\u00e02\u00e92\u00f22\u00033b3\u008c3\u009a3\u009f3\u00b83\u00c83\u00d93\u00ea3\u00f63\u00fb3\u00004\u00074\u000e4\u00184\/4;4B4T4f4s44\u008c4\u009e4\u00a64\u00ae4\u00b64\u00be4\u00c64\u00ce4\u00d64\u00de4\u00e64\u00ee4\u00f64\u001e5&5.565>5F5N5V5^5f5n5v5~5\u00865\u008e5\u00965\u009e5\u00a65\u00ae5\u00b65\u00be5\u00c65\u00ce5\u00d65\u00de5\u00e65\u00ee5\u00f65\u00fe5\u00066\u000e6\u00166\u001e6&6.666>6F6N6V6^6f6n6v6~6\u00866\u008e6\u00966\u009e6\u00a66\u00ae6\u00b66\u00be6\u00c66\u00ce6\u00d66\u00de6\u00e66\u00ee6\u00f66\u00fe6\u00067\u000e7\u00167\u001e7&7.767>7F7N7V7^7f7n7v7~7\u00867\u008e7\u00967\u009e7\u00bb7\u00c77\u00d47\u00e67\u00ee7\u00f67R8\u00878\u00139$9E9\u0006:2:\u0084:\u000e;\u0016;\u001e;7;h;\u00be;\u00e0;\u0014>\u001f>{>\u00000\u0000\u0000\u00ac\u0000\u0000\u0000\u00111e1\u00821\u008a1R2p2\u00a12\u00c32\u00c23\u00ca3\u00d23\u00c54W55\u008b5\u00925\u00a45\u00b85\u00bc5\u00c25\u00ca5\u00816\u00916\u009c6\u00aa6\u00b76\u00ff6\u00167H7\\7z7\u001a8\u001f8\u00968\u00be8\u0085;\u0096;\u00c3;\u00c9;\u00d4;\u00eb;\u00fc;\u001e<)<\/<:<@\u001b>'>4>F>S>_>l>~>\u008b>\u0097>\u00a4>\u00b6>\u008d?\u0000\u0000\u0000@\u0000\u0000\u00d4\u0000\u0000\u0000\u00041+171>1H1R1d1x1|1\u00801\u00841\u008a1\u00921\u00df1\u00ec1\u00f21\u00fc1\b2\u00112\u00192(2-272<2B2N2e22\u00a02\u00a62\u00b22\u00bf2\u00d62\u00dc2\u00ed2\u00f32\u00103\u00163#363C3I3S3j3\u00b63\u00be3\u00f73\u00054\u00104O4\u00ab4\u00c04\u00dc4&5\u00af5\u00eb5d6\u00ca6\u00ed6\u001a73788=8K8Y8\u00e48\u00169\u00e29):9:F:\u0083;\u00cc;\u00e4;\u00f7;><\u009b<\u00b4<\u00d8<=\u008b=\u0092=\u009c=\u00a7=\u00b9=\u00cc=\u00d0=\u00d6=\u00de=\u00ea=\u00f2=X>\u00a2>\u00d4>\u001e?@?U?{?\u0088?\u0090?\u00a2?\u00f2?\u0000P\u0000\u0000\u0090\u0001\u0000\u0000\u00180\u00820\u008f0\u00970\u00a90\u00f90\u00181\u00f02'3.3&4*4.42464:4>4B4F4J4N4R4V4Z4^4b4f4j4n4r4v4z4~4\u00824\u00864\u008a4\u008e4\u00924\u00964\u009a4\u009e4\u00a24\u00a64\u00aa4\u00ae4\u00b24\u00b64\u00ba4\u00be4\u00c24\u00c64\u00ca4\u00ce4\u00d24\u00d64\u00da4\u00de4\u00e24\u00e64\u00ea4\u00ee4\u00f24\u00f64\u00fa4\u00fe4\u00025\u00065\n5\u000e5\u00125\u00165\u001a5\u001e5\"5&5*5.52565:5>5B5F5J5N5R5V5Z5^5b5f5j5n5r5v5z5~5\u00825\u00895\u009a5\u00ab5\u00bc5\u00cd5\u00de5\u00ef5\u00006\u00116\"636D6U6f6w6\u00886\u00996\u00aa6\u00bb6\u00cc6\u00dd6\u00ee6\u00ff6\u00107!727C7T7e7v7\u00877\u00987\u00a97\u00ba7\u00cb7\u00dc7\u00ed7\u00fe7\u000f8 818B8S8d8u8\u00868\u00978\u00a88\u00b98\u00ca8\u00db8\u00ec8\u00fd8\u000e9\u001f909A9R9c9t9\u00859\u00969\u00a79\u00b89\u00c99\u00da9\u00eb9\u00fc9\r:\u001e:\/:@:Q:b:s:\u0084:\u0095:\u00a6:\u00b4:\u00c2:\u00d0:\u00de:\u00ec:\u00fa:\b;\u0016;$;:;D;T;f;\u00ab;G<`\u0010>7>U>a>u>}>\u008a>\u009a>\u00bb>\u00c9>\u00d4>\u00e0>\u00ea>\u00f4>\u00fc>\u000e?\u00ce?\u0000\u0000\u0000p\u0000\u0000\u00f4\u0000\u0000\u0000\u00030m0\u009e0\u00ba0\u00071\r1\u00131\u00191-171J1P1d1y1\u00881\u008e1\u00a61\u00bd1\u00c71\u00d81\u00ec1H2\u00922\u009b2\u00d52\u00ed2\u00fe2l3\u00843\u00923\u00a13\u00d23\u00f13\u00f63\u00fb3\u00004\f4\u00114$414C4N4Z4d4\u00814\u00d74\u00dd4\u00e34\u00eb4\u00f74\u00fe4\u000e5(53595G5\u00835\u008e5\u00975\u009f5\u00b05\u00d65\u00e05\u00f65\u00fc5\n6\u00156!6*626>6L6\u00826\u008a6\u00926\u009a6\u00a2677C7J7\\7s77\u008d7\u00fc7\u00018\u000f8\u001e8r8|8\u00868\u00908\u009a8\u00d98\u00e08\u00ec8\u001c949P9k9\u00b89\u00fa9H:~:\u001b;\u0098;a\u00cc>\u00ed>f?p?z?\u0084?\u008e?\u0099?\u009e?\u0000\u0000\u0000\u0080\u0000\u0000\b\u0002\u0000\u0000\u00e70\u00f20\u00fc0\u00061\u00101\u001a1%1]1j1{1\u00991\u00a01\u00a51\u00b21\u00d01\u00d71\u00dc1\u00e91\u00f01\u000e2\u00192 2.292@2N2q2\u00a42\u00c02\u00d62\u00f02'3D3O3n3{3\u00843\u00993\u00be3\u000b5\u00165 5*545F5X5\\5`5d5h5l5p5t5x5|5\u00805\u00845\u00885\u008c5\u00905\u00945\u00985\u009c5\u00a05\u00a45\u00a85\u00ac5\u00b05\u00b45\u00b85\u00bc5\u00c05\u00c45\u00c85\u00cc5\u00d05\u00d85\u00e05\u00e45\u00e85\u00ec5\u00f05\u00f45\u00f85\u00fc5\u00136 6+656f6\u00806\u00936\u00bf6\u00e16\u00ed6\u00f26\u00017\u00157!7\/7H7V7k7w7\u00857\u00ad7\u00ba7\u00c07\u00cc7\u00d27\u00d77\u00e17\u00f07\u00fb7\u00068\"8D8P8U88\u00848\u008e8\u00988\u00a28\u00b48\u00cd8\u00e38\u00ef8\u00fd8\u001b919>9J9`9m9\u00a19\u00ad9\u00b79\u00be9\u00c39\u00cf9\u00df9\u00f09\u00ff9\u000b:\u0010:\u001c:(:4:?:U:f:w:\u0087:\u009f:\u00f7:\u0019;o;\u0094;\u009e;\u00af;\u00b4;\u00c0;\u00c8;\u00cd;\u00d9;\u00e8;\u00ed;\u00f9;\u0007<\r<\u0017<.<:\u0007>\f>\u0016>\u001b> >5>?>D>I>S>Z>_>i>n>s>}>\u0086>\u0091>\u00a7>\u00b8>\u00c5>\u00d1>\t?\u0015?\u001a?$?0?5?K?Y?c?n?u?z?\u0087?\u0094?\u00aa?\u00ba?\u00ce?\u00e0?\u00e6?\u00f0?\u00fc?\u0000\u0000\u0000\u0090\u0000\u0000\u00dc\u0000\u0000\u0000#0:0I0T0Y0^0~0\u00870\u008e0\u00940\u009e0\u00a90\u00b60\u00bc0\u00c60\u00d70\u00eb0\u00151\u001f1$1*141@1g1~1\u008d1\u00981\u009d1\u00a21\u00b51\u00d01\u00e51\u00f51\u00fa1\t2\u00192!2)24292C2I2t2|2\u00872\u008c2\u00962\u00a62\u00bb2\u00cb2\u00d02\u00df2\u00ef2\u00f72\u00ff2\n3\u000f3\u00193\u001f3J3R3]3b3l3|3\u00923\u00a23\u00a73\u00b63\u00c63\u00ce3\u00d63\u00e13\u00e63\u00f03\u00f63!4)44494C4M4R4W4a4q4y4\u00814\u008c4\u00914\u009b4\u00a14\u00c84\u00d04\u00db4\u00e04\u00ea4\u00fd4\b5\u00105\u00185#5<5B5V5\u0000\u0000\u0000\u00a0\u0000\u0000@\u0000\u0000\u0000$0(0,0004080<0D0H0L0l0p0t0\u00b00\u00f80\u00fc0\u00001\u00041\b1\f1\u00101\u00141\u00181\u001c1 1$1(1,1\u0000 \u0001\u0000\u0014\u0000\u0000\u0000\u00000\u00040\b0\f0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00411000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 283
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "\u0000\u0010A\u0000\b\u0010A\u0000x\u00a0@\u0000\u0010 A\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00412000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 286
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "\u0000\u0010\u0000\u0000\u00c4\u0000\u0000\u0000\u00000\u00120\u001a0\"0*020:0B0J0R0Z0b0j0r0z0\u00820\u008a0\u00920\u009a0\u00a20\u00aa0\u00b20\u00b80\u00c90\u00d20\u00eb0\u00f40\u00061\u001e1?1X1q1\u00821\u00971\u00a41\u00c41z2\u00a92\u00b42\u00c52\u00da2\u00f02\b3\u00163J3f3r3\u00863\u00b33\u00e03\u00e93\u001b4$4Y4`4\u00824\u00cf4%5_5e5v5\u00855\u008b5\u00995\u00a95\u00bc5\u00c65\u00ca5\u00d05\u00d45\u00d95\u00e05\u00e65\u00ee5\u00f45 6*6Q6V6[6}6\u00866\u009c6\u00b46\u00cf6\u00ee6\u00f76\u001d7*7};M?W?\u00f5?\u00fe?\u0000 \u0000\u0000D\u0001\u0000\u0000\t0\u000e0\u00160>2E2R2\u008b2\u00972\u009f2\u00a52\u00b22\u00c22\u00cf2\u00d52\u00d92\u00e02\u00e92\u00f22\u00033b3\u008c3\u009a3\u009f3\u00b83\u00c83\u00d93\u00ea3\u00f63\u00fb3\u00004\u00074\u000e4\u00184\/4;4B4T4f4s44\u008c4\u009e4\u00a64\u00ae4\u00b64\u00be4\u00c64\u00ce4\u00d64\u00de4\u00e64\u00ee4\u00f64\u001e5&5.565>5F5N5V5^5f5n5v5~5\u00865\u008e5\u00965\u009e5\u00a65\u00ae5\u00b65\u00be5\u00c65\u00ce5\u00d65\u00de5\u00e65\u00ee5\u00f65\u00fe5\u00066\u000e6\u00166\u001e6&6.666>6F6N6V6^6f6n6v6~6\u00866\u008e6\u00966\u009e6\u00a66\u00ae6\u00b66\u00be6\u00c66\u00ce6\u00d66\u00de6\u00e66\u00ee6\u00f66\u00fe6\u00067\u000e7\u00167\u001e7&7.767>7F7N7V7^7f7n7v7~7\u00867\u008e7\u00967\u009e7\u00bb7\u00c77\u00d47\u00e67\u00ee7\u00f67R8\u00878\u00139$9E9\u0006:2:\u0084:\u000e;\u0016;\u001e;7;h;\u00be;\u00e0;\u0014>\u001f>{>\u00000\u0000\u0000\u00ac\u0000\u0000\u0000\u00111e1\u00821\u008a1R2p2\u00a12\u00c32\u00c23\u00ca3\u00d23\u00c54W55\u008b5\u00925\u00a45\u00b85\u00bc5\u00c25\u00ca5\u00816\u00916\u009c6\u00aa6\u00b76\u00ff6\u00167H7\\7z7\u001a8\u001f8\u00968\u00be8\u0085;\u0096;\u00c3;\u00c9;\u00d4;\u00eb;\u00fc;\u001e<)<\/<:<@\u001b>'>4>F>S>_>l>~>\u008b>\u0097>\u00a4>\u00b6>\u008d?\u0000\u0000\u0000@\u0000\u0000\u00d4\u0000\u0000\u0000\u00041+171>1H1R1d1x1|1\u00801\u00841\u008a1\u00921\u00df1\u00ec1\u00f21\u00fc1\b2\u00112\u00192(2-272<2B2N2e22\u00a02\u00a62\u00b22\u00bf2\u00d62\u00dc2\u00ed2\u00f32\u00103\u00163#363C3I3S3j3\u00b63\u00be3\u00f73\u00054\u00104O4\u00ab4\u00c04\u00dc4&5\u00af5\u00eb5d6\u00ca6\u00ed6\u001a73788=8K8Y8\u00e48\u00169\u00e29):9:F:\u0083;\u00cc;\u00e4;\u00f7;><\u009b<\u00b4<\u00d8<=\u008b=\u0092=\u009c=\u00a7=\u00b9=\u00cc=\u00d0=\u00d6=\u00de=\u00ea=\u00f2=X>\u00a2>\u00d4>\u001e?@?U?{?\u0088?\u0090?\u00a2?\u00f2?\u0000P\u0000\u0000\u0090\u0001\u0000\u0000\u00180\u00820\u008f0\u00970\u00a90\u00f90\u00181\u00f02'3.3&4*4.42464:4>4B4F4J4N4R4V4Z4^4b4f4j4n4r4v4z4~4\u00824\u00864\u008a4\u008e4\u00924\u00964\u009a4\u009e4\u00a24\u00a64\u00aa4\u00ae4\u00b24\u00b64\u00ba4\u00be4\u00c24\u00c64\u00ca4\u00ce4\u00d24\u00d64\u00da4\u00de4\u00e24\u00e64\u00ea4\u00ee4\u00f24\u00f64\u00fa4\u00fe4\u00025\u00065\n5\u000e5\u00125\u00165\u001a5\u001e5\"5&5*5.52565:5>5B5F5J5N5R5V5Z5^5b5f5j5n5r5v5z5~5\u00825\u00895\u009a5\u00ab5\u00bc5\u00cd5\u00de5\u00ef5\u00006\u00116\"636D6U6f6w6\u00886\u00996\u00aa6\u00bb6\u00cc6\u00dd6\u00ee6\u00ff6\u00107!727C7T7e7v7\u00877\u00987\u00a97\u00ba7\u00cb7\u00dc7\u00ed7\u00fe7\u000f8 818B8S8d8u8\u00868\u00978\u00a88\u00b98\u00ca8\u00db8\u00ec8\u00fd8\u000e9\u001f909A9R9c9t9\u00859\u00969\u00a79\u00b89\u00c99\u00da9\u00eb9\u00fc9\r:\u001e:\/:@:Q:b:s:\u0084:\u0095:\u00a6:\u00b4:\u00c2:\u00d0:\u00de:\u00ec:\u00fa:\b;\u0016;$;:;D;T;f;\u00ab;G<`\u0010>7>U>a>u>}>\u008a>\u009a>\u00bb>\u00c9>\u00d4>\u00e0>\u00ea>\u00f4>\u00fc>\u000e?\u00ce?\u0000\u0000\u0000p\u0000\u0000\u00f4\u0000\u0000\u0000\u00030m0\u009e0\u00ba0\u00071\r1\u00131\u00191-171J1P1d1y1\u00881\u008e1\u00a61\u00bd1\u00c71\u00d81\u00ec1H2\u00922\u009b2\u00d52\u00ed2\u00fe2l3\u00843\u00923\u00a13\u00d23\u00f13\u00f63\u00fb3\u00004\f4\u00114$414C4N4Z4d4\u00814\u00d74\u00dd4\u00e34\u00eb4\u00f74\u00fe4\u000e5(53595G5\u00835\u008e5\u00975\u009f5\u00b05\u00d65\u00e05\u00f65\u00fc5\n6\u00156!6*626>6L6\u00826\u008a6\u00926\u009a6\u00a2677C7J7\\7s77\u008d7\u00fc7\u00018\u000f8\u001e8r8|8\u00868\u00908\u009a8\u00d98\u00e08\u00ec8\u001c949P9k9\u00b89\u00fa9H:~:\u001b;\u0098;a\u00cc>\u00ed>f?p?z?\u0084?\u008e?\u0099?\u009e?\u0000\u0000\u0000\u0080\u0000\u0000\b\u0002\u0000\u0000\u00e70\u00f20\u00fc0\u00061\u00101\u001a1%1]1j1{1\u00991\u00a01\u00a51\u00b21\u00d01\u00d71\u00dc1\u00e91\u00f01\u000e2\u00192 2.292@2N2q2\u00a42\u00c02\u00d62\u00f02'3D3O3n3{3\u00843\u00993\u00be3\u000b5\u00165 5*545F5X5\\5`5d5h5l5p5t5x5|5\u00805\u00845\u00885\u008c5\u00905\u00945\u00985\u009c5\u00a05\u00a45\u00a85\u00ac5\u00b05\u00b45\u00b85\u00bc5\u00c05\u00c45\u00c85\u00cc5\u00d05\u00d85\u00e05\u00e45\u00e85\u00ec5\u00f05\u00f45\u00f85\u00fc5\u00136 6+656f6\u00806\u00936\u00bf6\u00e16\u00ed6\u00f26\u00017\u00157!7\/7H7V7k7w7\u00857\u00ad7\u00ba7\u00c07\u00cc7\u00d27\u00d77\u00e17\u00f07\u00fb7\u00068\"8D8P8U88\u00848\u008e8\u00988\u00a28\u00b48\u00cd8\u00e38\u00ef8\u00fd8\u001b919>9J9`9m9\u00a19\u00ad9\u00b79\u00be9\u00c39\u00cf9\u00df9\u00f09\u00ff9\u000b:\u0010:\u001c:(:4:?:U:f:w:\u0087:\u009f:\u00f7:\u0019;o;\u0094;\u009e;\u00af;\u00b4;\u00c0;\u00c8;\u00cd;\u00d9;\u00e8;\u00ed;\u00f9;\u0007<\r<\u0017<.<:\u0007>\f>\u0016>\u001b> >5>?>D>I>S>Z>_>i>n>s>}>\u0086>\u0091>\u00a7>\u00b8>\u00c5>\u00d1>\t?\u0015?\u001a?$?0?5?K?Y?c?n?u?z?\u0087?\u0094?\u00aa?\u00ba?\u00ce?\u00e0?\u00e6?\u00f0?\u00fc?\u0000\u0000\u0000\u0090\u0000\u0000\u00dc\u0000\u0000\u0000#0:0I0T0Y0^0~0\u00870\u008e0\u00940\u009e0\u00a90\u00b60\u00bc0\u00c60\u00d70\u00eb0\u00151\u001f1$1*141@1g1~1\u008d1\u00981\u009d1\u00a21\u00b51\u00d01\u00e51\u00f51\u00fa1\t2\u00192!2)24292C2I2t2|2\u00872\u008c2\u00962\u00a62\u00bb2\u00cb2\u00d02\u00df2\u00ef2\u00f72\u00ff2\n3\u000f3\u00193\u001f3J3R3]3b3l3|3\u00923\u00a23\u00a73\u00b63\u00c63\u00ce3\u00d63\u00e13\u00e63\u00f03\u00f63!4)44494C4M4R4W4a4q4y4\u00814\u008c4\u00914\u009b4\u00a14\u00c84\u00d04\u00db4\u00e04\u00ea4\u00fd4\b5\u00105\u00185#5<5B5V5\u0000\u0000\u0000\u00a0\u0000\u0000@\u0000\u0000\u0000$0(0,0004080<0D0H0L0l0p0t0\u00b00\u00f80\u00fc0\u00001\u00041\b1\f1\u00101\u00141\u00181\u001c1 1$1(1,1\u0000 \u0001\u0000\u0014\u0000\u0000\u0000\u00000\u00040\b0\f0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00413000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 289
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x000000f8",
"base_address": "0x7efde008"
},
"time": 1584247987.687625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 296
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2360,
"buffer": "MZP\u0000\u0002\u0000\u0000\u0000\u0004\u0000\u000f\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u001a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u00ba\u0010\u0000\u000e\u001f\u00b4\t\u00cd!\u00b8\u0001L\u00cd!\u0090\u0090This program must be run under Win32\r\n$7\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\b\u0000\u0019^B*\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u008e\u0081\u000b\u0001\u0002\u0019\u0000\u0088\u0000\u0000\u0000\u00ca\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0086\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u00a0\u0000\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0006\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0010\u0000\u0000\u0000\u0010\u0000\u0000@\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000h\r\u0000\u0000\u0000@\u0001\u0000T\u00aa\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00000\u0001\u0000\b\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0001\u0000\u0018\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000CODE\u0000\u0000\u0000\u0000d\u0087\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0088\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`DATA\u0000\u0000\u0000\u00000\u0001\u0000\u0000\u0000\u00a0\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u008c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0BSS\u0000\u0000\u0000\u0000\u0000\u00edN\u0000\u0000\u0000\u00b0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u008e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0.idata\u0000\u0000h\r\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0000\u0000\u008e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.tls\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0010\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0.rdata\u0000\u0000\u0018\u0000\u0000\u0000\u0000 \u0001\u0000\u0000\u0002\u0000\u0000\u0000\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P.reloc\u0000\u0000\b\n\u0000\u0000\u00000\u0001\u0000\u0000\f\u0000\u0000\u0000\u009e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P.rsrc\u0000\u0000\u0000T\u00aa\u0005\u0000\u0000@\u0001\u0000\u0000\u00ac\u0005\u0000\u0000\u00aa\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00ac\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00400000"
},
"time": 1584248004.453124,
"tid": 1224,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 268
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2360,
"buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00002\u0013\u008b\u00c0\u0000\u008d@\u0000\u0000\u008d@\u0000\u0000\u008d@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000L\"@\u0000\u00d0\u001f@\u0000\u00d0\u001f@\u0000T\u0015@\u0000 \u0015@\u0000\u00d0\u001f@\u0000\u00d0\u001f@\u0000\u0000\u0000\u0000\u0000\u00b0\u0010@\u0000\u00c4\u0010@\u0000\u00e8\u0010@\u0000\u0000\u00cb\u00cc\u00c8\u00c9\u00d7\u00cf\u00c8\u00cd\u00ce\u00db\u00d8\u00ca\u00d9\u00da\u00dc\u00dd\u00de\u00df\u00e0\u00e1\u00e3\u0000\u00e4\u00e5\u008d@\u0000\u00d0\u001f@\u0000\u00d0\u001f@\u0000\u0010#@\u0000\u00ff\u00ff\u00ff\u00ff\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0004\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000=@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u008d@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u008d@\u0000\u0000\u008d@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u008d@\u0000\u0000\u008d@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a0@\u0000\u00ec\u00c4@\u0000\u0090\u00b6@\u0000\u00e8\u00c4@\u0000\u00f8\u00c4@\u0000\u00e4\u00c4@\u0000\u00a4\u00c4@\u0000\u00c0\u00c4@\u0000\u00c8\u00c4@\u0000\f\u00d3@\u0000\u00dc\u00c4@\u0000\u00e0\u00c4@\u0000\u00bc\u00a0@\u0000\u0018\u00a0@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x0040a000"
},
"time": 1584248004.453124,
"tid": 1224,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 275
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741583,
"api": "WriteProcessMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2360,
"buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0003\u0001\u0000,\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a4\u0004\u0001\u0000t\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ec\u0004\u0001\u0000\u0084\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0005\u0001\u0000\u00a0\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a2\t\u0001\u0000\u009c\u0002\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Z\u000b\u0001\u0000\u0000\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000v\u000b\u0001\u0000\b\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e8\u000b\u0001\u0000 \u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\n\f\u0001\u0000(\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.\f\u0001\u00000\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000|\f\u0001\u0000@\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u009e\f\u0001\u0000H\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00de\f\u0001\u0000X\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000L\r\u0001\u0000p\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0086\u0003\u0001\u0000\u009c\u0003\u0001\u0000\u00b2\u0003\u0001\u0000\u00c8\u0003\u0001\u0000\u00d6\u0003\u0001\u0000\u00f2\u0003\u0001\u0000\u00fe\u0003\u0001\u0000\u0010\u0004\u0001\u0000 \u0004\u0001\u0000.\u0004\u0001\u0000<\u0004\u0001\u0000J\u0004\u0001\u0000^\u0004\u0001\u0000l\u0004\u0001\u0000x\u0004\u0001\u0000\u0086\u0004\u0001\u0000\u0092\u0004\u0001\u0000\u0000\u0000\u0000\u0000\u00b2\u0004\u0001\u0000\u00c2\u0004\u0001\u0000\u00d8\u0004\u0001\u0000\u0000\u0000\u0000\u0000\u00fa\u0004\u0001\u0000\f\u0005\u0001\u0000 \u0005\u0001\u00000\u0005\u0001\u0000B\u0005\u0001\u0000R\u0005\u0001\u0000\u0000\u0000\u0000\u0000n\u0005\u0001\u0000z\u0005\u0001\u0000\u0090\u0005\u0001\u0000\u009c\u0005\u0001\u0000\u00b2\u0005\u0001\u0000\u00c6\u0005\u0001\u0000\u00d6\u0005\u0001\u0000\u00e4\u0005\u0001\u0000\u00f6\u0005\u0001\u0000\u0006\u0006\u0001\u0000\u0018\u0006\u0001\u0000,\u0006\u0001\u0000D\u0006\u0001\u0000L\u0006\u0001\u0000^\u0006\u0001\u0000r\u0006\u0001\u0000\u0086\u0006\u0001\u0000\u0094\u0006\u0001\u0000\u00a6\u0006\u0001\u0000\u00bc\u0006\u0001\u0000\u00cc\u0006\u0001\u0000\u00dc\u0006\u0001\u0000\u00ec\u0006\u0001\u0000\u0000\u0007\u0001\u0000",
"process_handle": "0x000000f8",
"base_address": "0x0040b000"
},
"time": 1584248004.453124,
"tid": 1224,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 278
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2360,
"buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0003\u0001\u0000,\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a4\u0004\u0001\u0000t\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ec\u0004\u0001\u0000\u0084\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0005\u0001\u0000\u00a0\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a2\t\u0001\u0000\u009c\u0002\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Z\u000b\u0001\u0000\u0000\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000v\u000b\u0001\u0000\b\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e8\u000b\u0001\u0000 \u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\n\f\u0001\u0000(\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.\f\u0001\u00000\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000|\f\u0001\u0000@\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u009e\f\u0001\u0000H\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00de\f\u0001\u0000X\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000L\r\u0001\u0000p\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0086\u0003\u0001\u0000\u009c\u0003\u0001\u0000\u00b2\u0003\u0001\u0000\u00c8\u0003\u0001\u0000\u00d6\u0003\u0001\u0000\u00f2\u0003\u0001\u0000\u00fe\u0003\u0001\u0000\u0010\u0004\u0001\u0000 \u0004\u0001\u0000.\u0004\u0001\u0000<\u0004\u0001\u0000J\u0004\u0001\u0000^\u0004\u0001\u0000l\u0004\u0001\u0000x\u0004\u0001\u0000\u0086\u0004\u0001\u0000\u0092\u0004\u0001\u0000\u0000\u0000\u0000\u0000\u00b2\u0004\u0001\u0000\u00c2\u0004\u0001\u0000\u00d8\u0004\u0001\u0000\u0000\u0000\u0000\u0000\u00fa\u0004\u0001\u0000\f\u0005\u0001\u0000 \u0005\u0001\u00000\u0005\u0001\u0000B\u0005\u0001\u0000R\u0005\u0001\u0000\u0000\u0000\u0000\u0000n\u0005\u0001\u0000z\u0005\u0001\u0000\u0090\u0005\u0001\u0000\u009c\u0005\u0001\u0000\u00b2\u0005\u0001\u0000\u00c6\u0005\u0001\u0000\u00d6\u0005\u0001\u0000\u00e4\u0005\u0001\u0000\u00f6\u0005\u0001\u0000\u0006\u0006\u0001\u0000\u0018\u0006\u0001\u0000,\u0006\u0001\u0000D\u0006\u0001\u0000L\u0006\u0001\u0000^\u0006\u0001\u0000r\u0006\u0001\u0000\u0086\u0006\u0001\u0000\u0094\u0006\u0001\u0000\u00a6\u0006\u0001\u0000\u00bc\u0006\u0001\u0000\u00cc\u0006\u0001\u0000\u00dc\u0006\u0001\u0000\u00ec\u0006\u0001\u0000\u0000\u0007\u0001\u0000\f\u0007\u0001\u0000\u001a\u0007\u0001\u0000*\u0007\u0001\u0000D\u0007\u0001\u0000T\u0007\u0001\u0000d\u0007\u0001\u0000t\u0007\u0001\u0000\u0082\u0007\u0001\u0000\u0090\u0007\u0001\u0000\u00a8\u0007\u0001\u0000\u00ba\u0007\u0001\u0000\u00ce\u0007\u0001\u0000\u00de\u0007\u0001\u0000\u00f4\u0007\u0001\u0000\u0006\b\u0001\u0000\u001a\b\u0001\u00000\b\u0001\u0000@\b\u0001\u0000P\b\u0001\u0000^\b\u0001\u0000t\b\u0001\u0000\u0086\b\u0001\u0000\u009c\b\u0001\u0000\u00b0\b\u0001\u0000\u00c2\b\u0001\u0000\u00d2\b\u0001\u0000\u00e0\b\u0001\u0000\u00f0\b\u0001\u0000\u0002\t\u0001\u0000\u0010\t\u0001\u0000\u001e\t\u0001\u0000.\t\u0001\u0000D\t\u0001\u0000V\t\u0001\u0000f\t\u0001\u0000t\t\u0001\u0000\u0088\t\u0001\u0000\u0094\t\u0001\u0000\u0000\u0000\u0000\u0000\u00ae\t\u0001\u0000\u00c4\t\u0001\u0000\u00d2\t\u0001\u0000\u00e6\t\u0001\u0000\u00fc\t\u0001\u0000\f\n\u0001\u0000\u001e\n\u0001\u0000.\n\u0001\u0000>\n\u0001\u0000L\n\u0001\u0000^\n\u0001\u0000z\n\u0001\u0000\u008c\n\u0001\u0000\u009c\n\u0001\u0000\u00b0\n\u0001\u0000\u00be\n\u0001\u0000\u00d4\n\u0001\u0000\u00e8\n\u0001\u0000\u00fc\n\u0001\u0000\u000e\u000b\u0001\u0000 \u000b\u0001\u0000.\u000b\u0001\u0000:\u000b\u0001\u0000H\u000b\u0001\u0000\u0000\u0000\u0000\u0000f\u000b\u0001\u0000\u0000\u0000\u0000\u0000\u0082\u000b\u0001\u0000\u009a\u000b\u0001\u0000\u00b8\u000b\u0001\u0000\u00c6\u000b\u0001\u0000\u00d8\u000b\u0001\u0000\u0000\u0000\u0000\u0000\u00f4\u000b\u0001\u0000\u0000\u0000\u0000\u0000\u0016\f\u0001\u0000\u0000\u0000\u0000\u0000<\f\u0001\u0000N\f\u0001\u0000`\f\u0001\u0000\u0000\u0000\u0000\u0000\u0086\f\u0001\u0000\u0000\u0000\u0000\u0000\u00aa\f\u0001\u0000\u00bc\f\u0001\u0000\u00ca\f\u0001\u0000\u0000\u0000\u0000\u0000\u00ea\f\u0001\u0000\u0000\r\u0001\u0000\u000e\r\u0001\u0000(\r\u0001\u00008\r\u0001\u0000\u0000\u0000\u0000\u0000X\r\u0001\u0000\u0000\u0000\u0000\u0000kernel32.dll\u0000\u0000\u0000\u0000GetCurrentThreadId\u0000\u0000\u0000\u0000WideCharToMultiByte\u0000\u0000\u0000MultiByteToWideChar\u0000\u0000\u0000ExitProcess\u0000\u0000\u0000UnhandledExceptionFilter\u0000\u0000\u0000\u0000RtlUnwind\u0000\u0000\u0000RaiseException\u0000\u0000\u0000\u0000GetSystemTime\u0000\u0000\u0000TlsSetValue\u0000\u0000\u0000TlsGetValue\u0000\u0000\u0000LocalAlloc\u0000\u0000\u0000\u0000GetModuleHandleA\u0000\u0000\u0000\u0000FreeLibrary\u0000\u0000\u0000HeapFree\u0000\u0000\u0000\u0000HeapReAlloc\u0000\u0000\u0000HeapAlloc\u0000\u0000\u0000GetProcessHeap\u0000\u0000oleaut32.dll\u0000\u0000\u0000\u0000SysFreeString\u0000\u0000\u0000SysReAllocStringLen\u0000\u0000\u0000SysAllocStringLen\u0000advapi32.dll\u0000\u0000\u0000\u0000RegSetValueExW\u0000\u0000\u0000\u0000RegQueryValueExW\u0000\u0000\u0000\u0000RegOpenKeyExW\u0000\u0000\u0000RegCreateKeyExW\u0000\u0000\u0000RegCreateKeyW\u0000\u0000\u0000RegCloseKey\u0000kernel32.dll\u0000\u0000\u0000\u0000lstrlenW\u0000\u0000\u0000\u0000WriteProcessMemory\u0000\u0000\u0000\u0000WriteFile\u0000\u0000\u0000WaitForSingleObject\u0000\u0000\u0000VirtualProtectEx\u0000\u0000\u0000\u0000VirtualFreeEx\u0000\u0000\u0000VirtualFree\u0000\u0000\u0000VirtualAllocEx\u0000\u0000\u0000\u0000VirtualAlloc\u0000\u0000\u0000\u0000TerminateThread\u0000\u0000\u0000TerminateProcess\u0000\u0000\u0000\u0000SystemTimeToFileTime\u0000\u0000\u0000\u0000Sleep\u0000\u0000\u0000SizeofResource\u0000\u0000\u0000\u0000SetThreadPriority\u0000\u0000\u0000SetThreadContext\u0000\u0000\u0000\u0000SetFileTime\u0000\u0000\u0000SetFilePointer\u0000\u0000\u0000\u0000SetFileAttributesW\u0000\u0000\u0000\u0000SetErrorMode\u0000\u0000\u0000\u0000SetEndOfFile\u0000\u0000\u0000\u0000ResumeThread\u0000\u0000\u0000\u0000ReadProcessMemory\u0000\u0000\u0000ReadFile\u0000\u0000\u0000\u0000OpenProcess\u0000\u0000\u0000LockResource\u0000\u0000\u0000\u0000LocalFileTimeToFileTime\u0000\u0000\u0000LoadResource\u0000\u0000\u0000\u0000LoadLibraryA\u0000\u0000\u0000\u0000GlobalUnlock\u0000\u0000\u0000\u0000GlobalSize\u0000\u0000\u0000\u0000GlobalLock\u0000\u0000\u0000\u0000GetWindowsDirectoryW\u0000\u0000\u0000\u0000GetTimeFormatW\u0000\u0000\u0000\u0000GetThreadContext\u0000\u0000\u0000\u0000GetTempPathW\u0000\u0000\u0000\u0000GetSystemDirectoryW\u0000\u0000\u0000GetProcAddress\u0000\u0000\u0000\u0000GetModuleHandleA\u0000\u0000\u0000\u0000GetModuleFileNameW\u0000\u0000\u0000\u0000GetLocalTime\u0000\u0000\u0000\u0000GetLastError\u0000\u0000\u0000\u0000GetFileSize\u0000\u0000\u0000GetFileAttributesW\u0000\u0000\u0000\u0000GetDateFormatW\u0000\u0000\u0000\u0000GetCurrentProcessId\u0000\u0000\u0000GetCurrentProcess\u0000\u0000\u0000GetCommandLineW\u0000\u0000\u0000FreeResource\u0000\u0000\u0000\u0000FreeLibrary\u0000\u0000\u0000FindResourceW\u0000\u0000\u0000FindFirstFileW\u0000\u0000\u0000\u0000ExitProcess\u0000\u0000\u0000DeleteFileW\u0000\u0000\u0000CreateThread\u0000\u0000\u0000\u0000CreateRemoteThread\u0000\u0000\u0000\u0000CreateProcessW\u0000\u0000\u0000\u0000CreateMutexW\u0000\u0000\u0000\u0000CreateFileW\u0000\u0000\u0000CreateDirectoryW\u0000\u0000\u0000\u0000CopyFileW\u0000\u0000\u0000CloseHandle\u0000user32.dll\u0000\u0000\u0000\u0000UnhookWindowsHookEx\u0000\u0000\u0000ShowWindow\u0000\u0000\u0000\u0000SetWindowsHookExW\u0000\u0000\u0000SetClipboardViewer\u0000\u0000\u0000\u0000SendMessageA\u0000\u0000\u0000\u0000RegisterClassW\u0000\u0000\u0000\u0000PostMessageA\u0000\u0000\u0000\u0000OpenClipboard\u0000\u0000\u0000MessageBoxW\u0000\u0000\u0000MapVirtualKeyW\u0000\u0000\u0000\u0000GetWindowThreadProcessId\u0000\u0000\u0000\u0000GetWindowTextW\u0000\u0000\u0000\u0000GetWindowRect\u0000\u0000\u0000GetKeyboardLayout\u0000\u0000\u0000GetKeyState\u0000\u0000\u0000GetForegroundWindow\u0000\u0000\u0000GetDesktopWindow\u0000\u0000\u0000\u0000GetClipboardData\u0000\u0000\u0000\u0000DefWindowProcA\u0000\u0000\u0000\u0000CloseClipboard\u0000\u0000\u0000\u0000CharUpperW\u0000\u0000\u0000\u0000CharNextW\u0000\u0000\u0000CharLowerW\u0000\u0000\u0000\u0000CallNextHookEx\u0000\u0000shlwapi.dll\u0000\u0000\u0000SHDeleteKeyW\u0000\u0000shell32.dll\u0000\u0000\u0000SHGetPathFromIDListW\u0000\u0000\u0000\u0000SHGetSpecialFolderLocation\u0000\u0000\u0000\u0000SHGetMalloc\u0000\u0000\u0000FindExecutableW\u0000\u0000\u0000ShellExecuteW\u0000urlmon.dll\u0000\u0000\u0000\u0000URLDownloadToFileW\u0000\u0000wininet.dll\u0000\u0000\u0000DeleteUrlCacheEntryW\u0000\u0000kernel32.dll\u0000\u0000\u0000\u0000Process32NextW\u0000\u0000\u0000\u0000Process32FirstW\u0000\u0000\u0000CreateToolhelp32Snapshot\u0000\u0000ntdll.dll\u0000\u0000\u0000NtUnmapViewOfSection\u0000\u0000user32.dll\u0000\u0000\u0000\u0000CreateWindowExW\u0000\u0000\u0000ToUnicodeEx\u0000\u0000\u0000GetKeyboardState\u0000\u0000wininet.dll\u0000\u0000\u0000InternetCloseHandle\u0000\u0000\u0000FtpPutFileW\u0000\u0000\u0000FtpSetCurrentDirectoryW\u0000\u0000\u0000InternetOpenW\u0000\u0000\u0000InternetConnectW\u0000\u0000shell32.dll\u0000\u0000\u0000ShellExecuteW\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00410000"
},
"time": 1584248004.453124,
"tid": 1224,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 281
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741583,
"api": "WriteProcessMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2360,
"buffer": "\u0000\u0010A\u0000\b\u0010A\u0000x\u00a0@\u0000\u0010 A\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u00c4\u0000\u0000\u0000\u00000\u00120\u001a0\"0*020:0B0J0R0Z0b0j0r0z0\u00820\u008a0\u00920\u009a0\u00a20\u00aa0\u00b20\u00b80\u00c90\u00d20\u00eb0\u00f40\u00061\u001e1?1X1q1\u00821\u00971\u00a41\u00c41z2\u00a92\u00b42\u00c52\u00da2\u00f02\b3\u00163J3f3r3\u00863\u00b33\u00e03\u00e93\u001b4$4Y4`4\u00824\u00cf4%5_5e5v5\u00855\u008b5\u00995\u00a95\u00bc5\u00c65\u00ca5\u00d05\u00d45\u00d95\u00e05\u00e65\u00ee5\u00f45 6*6Q6V6[6}6\u00866\u009c6\u00b46\u00cf6\u00ee6\u00f76\u001d7*7};M?W?\u00f5?\u00fe?\u0000 \u0000\u0000D\u0001\u0000\u0000\t0\u000e0\u00160>2E2R2\u008b2\u00972\u009f2\u00a52\u00b22\u00c22\u00cf2\u00d52\u00d92\u00e02\u00e92\u00f22\u00033b3\u008c3\u009a3\u009f3\u00b83\u00c83\u00d93\u00ea3\u00f63\u00fb3\u00004\u00074\u000e4\u00184\/4;4B4T4f4s44\u008c4\u009e4\u00a64\u00ae4\u00b64\u00be4\u00c64\u00ce4\u00d64\u00de4\u00e64\u00ee4\u00f64\u001e5&5.565>5F5N5V5^5f5n5v5~5\u00865\u008e5\u00965\u009e5\u00a65\u00ae5\u00b65\u00be5\u00c65\u00ce5\u00d65\u00de5\u00e65\u00ee5\u00f65\u00fe5\u00066\u000e6\u00166\u001e6&6.666>6F6N6V6^6f6n6v6~6\u00866\u008e6\u00966\u009e6\u00a66\u00ae6\u00b66\u00be6\u00c66\u00ce6\u00d66\u00de6\u00e66\u00ee6\u00f66\u00fe6\u00067\u000e7\u00167\u001e7&7.767>7F7N7V7^7f7n7v7~7\u00867\u008e7\u00967\u009e7\u00bb7\u00c77\u00d47\u00e67\u00ee7\u00f67R8\u00878\u00139$9E9\u0006:2:\u0084:\u000e;\u0016;\u001e;7;h;\u00be;\u00e0;\u0014>\u001f>{>\u00000\u0000\u0000\u00ac\u0000\u0000\u0000\u00111e1\u00821\u008a1R2p2\u00a12\u00c32\u00c23\u00ca3\u00d23\u00c54W55\u008b5\u00925\u00a45\u00b85\u00bc5\u00c25\u00ca5\u00816\u00916\u009c6\u00aa6\u00b76\u00ff6\u00167H7\\7z7\u001a8\u001f8\u00968\u00be8\u0085;\u0096;\u00c3;\u00c9;\u00d4;\u00eb;\u00fc;\u001e<)<\/<:<@\u001b>'>4>F>S>_>l>~>\u008b>\u0097>\u00a4>\u00b6>\u008d?\u0000\u0000\u0000@\u0000\u0000\u00d4\u0000\u0000\u0000\u00041+171>1H1R1d1x1|1\u00801\u00841\u008a1\u00921\u00df1\u00ec1\u00f21\u00fc1\b2\u00112\u00192(2-272<2B2N2e22\u00a02\u00a62\u00b22\u00bf2\u00d62\u00dc2\u00ed2\u00f32\u00103\u00163#363C3I3S3j3\u00b63\u00be3\u00f73\u00054\u00104O4\u00ab4\u00c04\u00dc4&5\u00af5\u00eb5d6\u00ca6\u00ed6\u001a73788=8K8Y8\u00e48\u00169\u00e29):9:F:\u0083;\u00cc;\u00e4;\u00f7;><\u009b<\u00b4<\u00d8<=\u008b=\u0092=\u009c=\u00a7=\u00b9=\u00cc=\u00d0=\u00d6=\u00de=\u00ea=\u00f2=X>\u00a2>\u00d4>\u001e?@?U?{?\u0088?\u0090?\u00a2?\u00f2?\u0000P\u0000\u0000\u0090\u0001\u0000\u0000\u00180\u00820\u008f0\u00970\u00a90\u00f90\u00181\u00f02'3.3&4*4.42464:4>4B4F4J4N4R4V4Z4^4b4f4j4n4r4v4z4~4\u00824\u00864\u008a4\u008e4\u00924\u00964\u009a4\u009e4\u00a24\u00a64\u00aa4\u00ae4\u00b24\u00b64\u00ba4\u00be4\u00c24\u00c64\u00ca4\u00ce4\u00d24\u00d64\u00da4\u00de4\u00e24\u00e64\u00ea4\u00ee4\u00f24\u00f64\u00fa4\u00fe4\u00025\u00065\n5\u000e5\u00125\u00165\u001a5\u001e5\"5&5*5.52565:5>5B5F5J5N5R5V5Z5^5b5f5j5n5r5v5z5~5\u00825\u00895\u009a5\u00ab5\u00bc5\u00cd5\u00de5\u00ef5\u00006\u00116\"636D6U6f6w6\u00886\u00996\u00aa6\u00bb6\u00cc6\u00dd6\u00ee6\u00ff6\u00107!727C7T7e7v7\u00877\u00987\u00a97\u00ba7\u00cb7\u00dc7\u00ed7\u00fe7\u000f8 818B8S8d8u8\u00868\u00978\u00a88\u00b98\u00ca8\u00db8\u00ec8\u00fd8\u000e9\u001f909A9R9c9t9\u00859\u00969\u00a79\u00b89\u00c99\u00da9\u00eb9\u00fc9\r:\u001e:\/:@:Q:b:s:\u0084:\u0095:\u00a6:\u00b4:\u00c2:\u00d0:\u00de:\u00ec:\u00fa:\b;\u0016;$;:;D;T;f;\u00ab;G<`\u0010>7>U>a>u>}>\u008a>\u009a>\u00bb>\u00c9>\u00d4>\u00e0>\u00ea>\u00f4>\u00fc>\u000e?\u00ce?\u0000\u0000\u0000p\u0000\u0000\u00f4\u0000\u0000\u0000\u00030m0\u009e0\u00ba0\u00071\r1\u00131\u00191-171J1P1d1y1\u00881\u008e1\u00a61\u00bd1\u00c71\u00d81\u00ec1H2\u00922\u009b2\u00d52\u00ed2\u00fe2l3\u00843\u00923\u00a13\u00d23\u00f13\u00f63\u00fb3\u00004\f4\u00114$414C4N4Z4d4\u00814\u00d74\u00dd4\u00e34\u00eb4\u00f74\u00fe4\u000e5(53595G5\u00835\u008e5\u00975\u009f5\u00b05\u00d65\u00e05\u00f65\u00fc5\n6\u00156!6*626>6L6\u00826\u008a6\u00926\u009a6\u00a2677C7J7\\7s77\u008d7\u00fc7\u00018\u000f8\u001e8r8|8\u00868\u00908\u009a8\u00d98\u00e08\u00ec8\u001c949P9k9\u00b89\u00fa9H:~:\u001b;\u0098;a\u00cc>\u00ed>f?p?z?\u0084?\u008e?\u0099?\u009e?\u0000\u0000\u0000\u0080\u0000\u0000\b\u0002\u0000\u0000\u00e70\u00f20\u00fc0\u00061\u00101\u001a1%1]1j1{1\u00991\u00a01\u00a51\u00b21\u00d01\u00d71\u00dc1\u00e91\u00f01\u000e2\u00192 2.292@2N2q2\u00a42\u00c02\u00d62\u00f02'3D3O3n3{3\u00843\u00993\u00be3\u000b5\u00165 5*545F5X5\\5`5d5h5l5p5t5x5|5\u00805\u00845\u00885\u008c5\u00905\u00945\u00985\u009c5\u00a05\u00a45\u00a85\u00ac5\u00b05\u00b45\u00b85\u00bc5\u00c05\u00c45\u00c85\u00cc5\u00d05\u00d85\u00e05\u00e45\u00e85\u00ec5\u00f05\u00f45\u00f85\u00fc5\u00136 6+656f6\u00806\u00936\u00bf6\u00e16\u00ed6\u00f26\u00017\u00157!7\/7H7V7k7w7\u00857\u00ad7\u00ba7\u00c07\u00cc7\u00d27\u00d77\u00e17\u00f07\u00fb7\u00068\"8D8P8U88\u00848\u008e8\u00988\u00a28\u00b48\u00cd8\u00e38\u00ef8\u00fd8\u001b919>9J9`9m9\u00a19\u00ad9\u00b79\u00be9\u00c39\u00cf9\u00df9\u00f09\u00ff9\u000b:\u0010:\u001c:(:4:?:U:f:w:\u0087:\u009f:\u00f7:\u0019;o;\u0094;\u009e;\u00af;\u00b4;\u00c0;\u00c8;\u00cd;\u00d9;\u00e8;\u00ed;\u00f9;\u0007<\r<\u0017<.<:\u0007>\f>\u0016>\u001b> >5>?>D>I>S>Z>_>i>n>s>}>\u0086>\u0091>\u00a7>\u00b8>\u00c5>\u00d1>\t?\u0015?\u001a?$?0?5?K?Y?c?n?u?z?\u0087?\u0094?\u00aa?\u00ba?\u00ce?\u00e0?\u00e6?\u00f0?\u00fc?\u0000\u0000\u0000\u0090\u0000\u0000\u00dc\u0000\u0000\u0000#0:0I0T0Y0^0~0\u00870\u008e0\u00940\u009e0\u00a90\u00b60\u00bc0\u00c60\u00d70\u00eb0\u00151\u001f1$1*141@1g1~1\u008d1\u00981\u009d1\u00a21\u00b51\u00d01\u00e51\u00f51\u00fa1\t2\u00192!2)24292C2I2t2|2\u00872\u008c2\u00962\u00a62\u00bb2\u00cb2\u00d02\u00df2\u00ef2\u00f72\u00ff2\n3\u000f3\u00193\u001f3J3R3]3b3l3|3\u00923\u00a23\u00a73\u00b63\u00c63\u00ce3\u00d63\u00e13\u00e63\u00f03\u00f63!4)44494C4M4R4W4a4q4y4\u00814\u008c4\u00914\u009b4\u00a14\u00c84\u00d04\u00db4\u00e04\u00ea4\u00fd4\b5\u00105\u00185#5<5B5V5\u0000\u0000\u0000\u00a0\u0000\u0000@\u0000\u0000\u0000$0(0,0004080<0D0H0L0l0p0t0\u00b00\u00f80\u00fc0\u00001\u00041\b1\f1\u00101\u00141\u00181\u001c1 1$1(1,1\u0000 \u0001\u0000\u0014\u0000\u0000\u0000\u00000\u00040\b0\f0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00411000"
},
"time": 1584248004.453124,
"tid": 1224,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 284
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2360,
"buffer": "\u0000\u0010A\u0000\b\u0010A\u0000x\u00a0@\u0000\u0010 A\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00412000"
},
"time": 1584248004.453124,
"tid": 1224,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 287
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2360,
"buffer": "\u0000\u0010\u0000\u0000\u00c4\u0000\u0000\u0000\u00000\u00120\u001a0\"0*020:0B0J0R0Z0b0j0r0z0\u00820\u008a0\u00920\u009a0\u00a20\u00aa0\u00b20\u00b80\u00c90\u00d20\u00eb0\u00f40\u00061\u001e1?1X1q1\u00821\u00971\u00a41\u00c41z2\u00a92\u00b42\u00c52\u00da2\u00f02\b3\u00163J3f3r3\u00863\u00b33\u00e03\u00e93\u001b4$4Y4`4\u00824\u00cf4%5_5e5v5\u00855\u008b5\u00995\u00a95\u00bc5\u00c65\u00ca5\u00d05\u00d45\u00d95\u00e05\u00e65\u00ee5\u00f45 6*6Q6V6[6}6\u00866\u009c6\u00b46\u00cf6\u00ee6\u00f76\u001d7*7};M?W?\u00f5?\u00fe?\u0000 \u0000\u0000D\u0001\u0000\u0000\t0\u000e0\u00160>2E2R2\u008b2\u00972\u009f2\u00a52\u00b22\u00c22\u00cf2\u00d52\u00d92\u00e02\u00e92\u00f22\u00033b3\u008c3\u009a3\u009f3\u00b83\u00c83\u00d93\u00ea3\u00f63\u00fb3\u00004\u00074\u000e4\u00184\/4;4B4T4f4s44\u008c4\u009e4\u00a64\u00ae4\u00b64\u00be4\u00c64\u00ce4\u00d64\u00de4\u00e64\u00ee4\u00f64\u001e5&5.565>5F5N5V5^5f5n5v5~5\u00865\u008e5\u00965\u009e5\u00a65\u00ae5\u00b65\u00be5\u00c65\u00ce5\u00d65\u00de5\u00e65\u00ee5\u00f65\u00fe5\u00066\u000e6\u00166\u001e6&6.666>6F6N6V6^6f6n6v6~6\u00866\u008e6\u00966\u009e6\u00a66\u00ae6\u00b66\u00be6\u00c66\u00ce6\u00d66\u00de6\u00e66\u00ee6\u00f66\u00fe6\u00067\u000e7\u00167\u001e7&7.767>7F7N7V7^7f7n7v7~7\u00867\u008e7\u00967\u009e7\u00bb7\u00c77\u00d47\u00e67\u00ee7\u00f67R8\u00878\u00139$9E9\u0006:2:\u0084:\u000e;\u0016;\u001e;7;h;\u00be;\u00e0;\u0014>\u001f>{>\u00000\u0000\u0000\u00ac\u0000\u0000\u0000\u00111e1\u00821\u008a1R2p2\u00a12\u00c32\u00c23\u00ca3\u00d23\u00c54W55\u008b5\u00925\u00a45\u00b85\u00bc5\u00c25\u00ca5\u00816\u00916\u009c6\u00aa6\u00b76\u00ff6\u00167H7\\7z7\u001a8\u001f8\u00968\u00be8\u0085;\u0096;\u00c3;\u00c9;\u00d4;\u00eb;\u00fc;\u001e<)<\/<:<@\u001b>'>4>F>S>_>l>~>\u008b>\u0097>\u00a4>\u00b6>\u008d?\u0000\u0000\u0000@\u0000\u0000\u00d4\u0000\u0000\u0000\u00041+171>1H1R1d1x1|1\u00801\u00841\u008a1\u00921\u00df1\u00ec1\u00f21\u00fc1\b2\u00112\u00192(2-272<2B2N2e22\u00a02\u00a62\u00b22\u00bf2\u00d62\u00dc2\u00ed2\u00f32\u00103\u00163#363C3I3S3j3\u00b63\u00be3\u00f73\u00054\u00104O4\u00ab4\u00c04\u00dc4&5\u00af5\u00eb5d6\u00ca6\u00ed6\u001a73788=8K8Y8\u00e48\u00169\u00e29):9:F:\u0083;\u00cc;\u00e4;\u00f7;><\u009b<\u00b4<\u00d8<=\u008b=\u0092=\u009c=\u00a7=\u00b9=\u00cc=\u00d0=\u00d6=\u00de=\u00ea=\u00f2=X>\u00a2>\u00d4>\u001e?@?U?{?\u0088?\u0090?\u00a2?\u00f2?\u0000P\u0000\u0000\u0090\u0001\u0000\u0000\u00180\u00820\u008f0\u00970\u00a90\u00f90\u00181\u00f02'3.3&4*4.42464:4>4B4F4J4N4R4V4Z4^4b4f4j4n4r4v4z4~4\u00824\u00864\u008a4\u008e4\u00924\u00964\u009a4\u009e4\u00a24\u00a64\u00aa4\u00ae4\u00b24\u00b64\u00ba4\u00be4\u00c24\u00c64\u00ca4\u00ce4\u00d24\u00d64\u00da4\u00de4\u00e24\u00e64\u00ea4\u00ee4\u00f24\u00f64\u00fa4\u00fe4\u00025\u00065\n5\u000e5\u00125\u00165\u001a5\u001e5\"5&5*5.52565:5>5B5F5J5N5R5V5Z5^5b5f5j5n5r5v5z5~5\u00825\u00895\u009a5\u00ab5\u00bc5\u00cd5\u00de5\u00ef5\u00006\u00116\"636D6U6f6w6\u00886\u00996\u00aa6\u00bb6\u00cc6\u00dd6\u00ee6\u00ff6\u00107!727C7T7e7v7\u00877\u00987\u00a97\u00ba7\u00cb7\u00dc7\u00ed7\u00fe7\u000f8 818B8S8d8u8\u00868\u00978\u00a88\u00b98\u00ca8\u00db8\u00ec8\u00fd8\u000e9\u001f909A9R9c9t9\u00859\u00969\u00a79\u00b89\u00c99\u00da9\u00eb9\u00fc9\r:\u001e:\/:@:Q:b:s:\u0084:\u0095:\u00a6:\u00b4:\u00c2:\u00d0:\u00de:\u00ec:\u00fa:\b;\u0016;$;:;D;T;f;\u00ab;G<`\u0010>7>U>a>u>}>\u008a>\u009a>\u00bb>\u00c9>\u00d4>\u00e0>\u00ea>\u00f4>\u00fc>\u000e?\u00ce?\u0000\u0000\u0000p\u0000\u0000\u00f4\u0000\u0000\u0000\u00030m0\u009e0\u00ba0\u00071\r1\u00131\u00191-171J1P1d1y1\u00881\u008e1\u00a61\u00bd1\u00c71\u00d81\u00ec1H2\u00922\u009b2\u00d52\u00ed2\u00fe2l3\u00843\u00923\u00a13\u00d23\u00f13\u00f63\u00fb3\u00004\f4\u00114$414C4N4Z4d4\u00814\u00d74\u00dd4\u00e34\u00eb4\u00f74\u00fe4\u000e5(53595G5\u00835\u008e5\u00975\u009f5\u00b05\u00d65\u00e05\u00f65\u00fc5\n6\u00156!6*626>6L6\u00826\u008a6\u00926\u009a6\u00a2677C7J7\\7s77\u008d7\u00fc7\u00018\u000f8\u001e8r8|8\u00868\u00908\u009a8\u00d98\u00e08\u00ec8\u001c949P9k9\u00b89\u00fa9H:~:\u001b;\u0098;a\u00cc>\u00ed>f?p?z?\u0084?\u008e?\u0099?\u009e?\u0000\u0000\u0000\u0080\u0000\u0000\b\u0002\u0000\u0000\u00e70\u00f20\u00fc0\u00061\u00101\u001a1%1]1j1{1\u00991\u00a01\u00a51\u00b21\u00d01\u00d71\u00dc1\u00e91\u00f01\u000e2\u00192 2.292@2N2q2\u00a42\u00c02\u00d62\u00f02'3D3O3n3{3\u00843\u00993\u00be3\u000b5\u00165 5*545F5X5\\5`5d5h5l5p5t5x5|5\u00805\u00845\u00885\u008c5\u00905\u00945\u00985\u009c5\u00a05\u00a45\u00a85\u00ac5\u00b05\u00b45\u00b85\u00bc5\u00c05\u00c45\u00c85\u00cc5\u00d05\u00d85\u00e05\u00e45\u00e85\u00ec5\u00f05\u00f45\u00f85\u00fc5\u00136 6+656f6\u00806\u00936\u00bf6\u00e16\u00ed6\u00f26\u00017\u00157!7\/7H7V7k7w7\u00857\u00ad7\u00ba7\u00c07\u00cc7\u00d27\u00d77\u00e17\u00f07\u00fb7\u00068\"8D8P8U88\u00848\u008e8\u00988\u00a28\u00b48\u00cd8\u00e38\u00ef8\u00fd8\u001b919>9J9`9m9\u00a19\u00ad9\u00b79\u00be9\u00c39\u00cf9\u00df9\u00f09\u00ff9\u000b:\u0010:\u001c:(:4:?:U:f:w:\u0087:\u009f:\u00f7:\u0019;o;\u0094;\u009e;\u00af;\u00b4;\u00c0;\u00c8;\u00cd;\u00d9;\u00e8;\u00ed;\u00f9;\u0007<\r<\u0017<.<:\u0007>\f>\u0016>\u001b> >5>?>D>I>S>Z>_>i>n>s>}>\u0086>\u0091>\u00a7>\u00b8>\u00c5>\u00d1>\t?\u0015?\u001a?$?0?5?K?Y?c?n?u?z?\u0087?\u0094?\u00aa?\u00ba?\u00ce?\u00e0?\u00e6?\u00f0?\u00fc?\u0000\u0000\u0000\u0090\u0000\u0000\u00dc\u0000\u0000\u0000#0:0I0T0Y0^0~0\u00870\u008e0\u00940\u009e0\u00a90\u00b60\u00bc0\u00c60\u00d70\u00eb0\u00151\u001f1$1*141@1g1~1\u008d1\u00981\u009d1\u00a21\u00b51\u00d01\u00e51\u00f51\u00fa1\t2\u00192!2)24292C2I2t2|2\u00872\u008c2\u00962\u00a62\u00bb2\u00cb2\u00d02\u00df2\u00ef2\u00f72\u00ff2\n3\u000f3\u00193\u001f3J3R3]3b3l3|3\u00923\u00a23\u00a73\u00b63\u00c63\u00ce3\u00d63\u00e13\u00e63\u00f03\u00f63!4)44494C4M4R4W4a4q4y4\u00814\u008c4\u00914\u009b4\u00a14\u00c84\u00d04\u00db4\u00e04\u00ea4\u00fd4\b5\u00105\u00185#5<5B5V5\u0000\u0000\u0000\u00a0\u0000\u0000@\u0000\u0000\u0000$0(0,0004080<0D0H0L0l0p0t0\u00b00\u00f80\u00fc0\u00001\u00041\b1\f1\u00101\u00141\u00181\u001c1 1$1(1,1\u0000 \u0001\u0000\u0014\u0000\u0000\u0000\u00000\u00040\b0\f0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00413000"
},
"time": 1584248004.453124,
"tid": 1224,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 290
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2360,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x000000f8",
"base_address": "0x7efde008"
},
"time": 1584248004.781124,
"tid": 1224,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 297
}
],
"references": [],
"name": "injection_write_memory"
},
{
"markcount": 2,
"families": [],
"description": "Code injection by writing an executable or DLL to the memory of another process",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "MZP\u0000\u0002\u0000\u0000\u0000\u0004\u0000\u000f\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u001a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u00ba\u0010\u0000\u000e\u001f\u00b4\t\u00cd!\u00b8\u0001L\u00cd!\u0090\u0090This program must be run under Win32\r\n$7\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\b\u0000\u0019^B*\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u008e\u0081\u000b\u0001\u0002\u0019\u0000\u0088\u0000\u0000\u0000\u00ca\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0086\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u00a0\u0000\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0006\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0010\u0000\u0000\u0000\u0010\u0000\u0000@\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000h\r\u0000\u0000\u0000@\u0001\u0000T\u00aa\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00000\u0001\u0000\b\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0001\u0000\u0018\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000CODE\u0000\u0000\u0000\u0000d\u0087\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0088\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`DATA\u0000\u0000\u0000\u00000\u0001\u0000\u0000\u0000\u00a0\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u008c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0BSS\u0000\u0000\u0000\u0000\u0000\u00edN\u0000\u0000\u0000\u00b0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u008e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0.idata\u0000\u0000h\r\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0000\u0000\u008e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.tls\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0010\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0.rdata\u0000\u0000\u0018\u0000\u0000\u0000\u0000 \u0001\u0000\u0000\u0002\u0000\u0000\u0000\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P.reloc\u0000\u0000\b\n\u0000\u0000\u00000\u0001\u0000\u0000\f\u0000\u0000\u0000\u009e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P.rsrc\u0000\u0000\u0000T\u00aa\u0005\u0000\u0000@\u0001\u0000\u0000\u00ac\u0005\u0000\u0000\u00aa\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00ac\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00400000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 267
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2360,
"buffer": "MZP\u0000\u0002\u0000\u0000\u0000\u0004\u0000\u000f\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u001a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u00ba\u0010\u0000\u000e\u001f\u00b4\t\u00cd!\u00b8\u0001L\u00cd!\u0090\u0090This program must be run under Win32\r\n$7\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\b\u0000\u0019^B*\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u008e\u0081\u000b\u0001\u0002\u0019\u0000\u0088\u0000\u0000\u0000\u00ca\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0086\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u00a0\u0000\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0006\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0010\u0000\u0000\u0000\u0010\u0000\u0000@\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000h\r\u0000\u0000\u0000@\u0001\u0000T\u00aa\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00000\u0001\u0000\b\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0001\u0000\u0018\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000CODE\u0000\u0000\u0000\u0000d\u0087\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0088\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`DATA\u0000\u0000\u0000\u00000\u0001\u0000\u0000\u0000\u00a0\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u008c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0BSS\u0000\u0000\u0000\u0000\u0000\u00edN\u0000\u0000\u0000\u00b0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u008e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0.idata\u0000\u0000h\r\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0000\u0000\u008e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.tls\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0010\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0.rdata\u0000\u0000\u0018\u0000\u0000\u0000\u0000 \u0001\u0000\u0000\u0002\u0000\u0000\u0000\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P.reloc\u0000\u0000\b\n\u0000\u0000\u00000\u0001\u0000\u0000\f\u0000\u0000\u0000\u009e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P.rsrc\u0000\u0000\u0000T\u00aa\u0005\u0000\u0000@\u0001\u0000\u0000\u00ac\u0005\u0000\u0000\u00aa\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00ac\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00400000"
},
"time": 1584248004.453124,
"tid": 1224,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 268
}
],
"references": [],
"name": "injection_write_memory_exe"
},
{
"markcount": 1,
"families": [],
"description": "Creates a windows hook that monitors keyboard input (keylogger)",
"severity": 3,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "SetWindowsHookExW",
"return_value": 19923649,
"arguments": {
"thread_identifier": 0,
"callback_function": "0x00406468",
"module_address": "0x00400000",
"hook_identifier": 13
},
"time": 1584248004.125124,
"tid": 2968,
"flags": {
"hook_identifier": "WH_KEYBOARD_LL"
}
},
"pid": 856,
"type": "call",
"cid": 683
}
],
"references": [],
"name": "infostealer_keylogger"
},
{
"markcount": 4,
"families": [],
"description": "Used NtSetContextThread to modify a thread in a remote process indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2676 called NtSetContextThread to modify thread in remote process 856",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000d0",
"registers": {
"eip": 2008678852,
"esp": 1638384,
"edi": 0,
"eax": 4228608,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 856
},
"time": 1584247987.687625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 298
},
{
"category": "Process injection",
"ioc": "Process 2056 called NtSetContextThread to modify thread in remote process 2360",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000d0",
"registers": {
"eip": 2008678852,
"esp": 1638384,
"edi": 0,
"eax": 4228608,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 2360
},
"time": 1584248004.781124,
"tid": 1224,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 299
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_ntsetcontextthread"
},
{
"markcount": 4,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2676 resumed a thread in remote process 856",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000d0",
"suspend_count": 1,
"process_identifier": 856
},
"time": 1584247989.000625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 300
},
{
"category": "Process injection",
"ioc": "Process 2056 resumed a thread in remote process 2360",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000d0",
"suspend_count": 1,
"process_identifier": 2360
},
"time": 1584248006.078124,
"tid": 1224,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 301
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
},
{
"markcount": 1,
"families": [
"spynet"
],
"description": "Creates known SpyNet files, registry changes and\/or mutexes.",
"severity": 3,
"marks": [
{
"category": "mutex",
"ioc": "CYBERGATEUPDATE",
"type": "ioc",
"description": null
}
],
"references": [
"https:\/\/malwr.com\/analysis\/ZDQ1NjBhNWIzNTdkNDRhNjhkZTFmZTBkYTU2YjMwNzg\/",
"https:\/\/malwr.com\/analysis\/MjkxYmE2YzczNzcwNGJiZjljNDcwMzA2ZDkyNDU2Y2M\/",
"https:\/\/malwr.com\/analysis\/N2E3NWRiNDMyYjIwNGE0NTk3Y2E5NWMzN2UwZTVjMzI\/",
"https:\/\/malwr.com\/analysis\/N2Q2NWY0Y2MzOTM0NDEzNmE1MTdhOThiNTQxMzhiNzk\/"
],
"name": "rat_spynet"
},
{
"markcount": 64,
"families": [],
"description": "Executed a process and injected code into it, probably while unpacking",
"severity": 5,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2968,
"thread_handle": "0x000000d0",
"process_identifier": 856,
"current_directory": "",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"track": 1,
"command_line": "",
"filepath_r": "C:\\Users\\cuck\\AppData\\Local\\Temp\\53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac.bin",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x000000f8",
"inherit_handles": 0
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 2676,
"type": "call",
"cid": 261
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtUnmapViewOfSection",
"return_value": 0,
"arguments": {
"process_identifier": 856,
"region_size": 4096,
"process_handle": "0x000000f8",
"base_address": "0x00400000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 263
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 856,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x000000f8",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2676,
"type": "call",
"cid": 265
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "MZP\u0000\u0002\u0000\u0000\u0000\u0004\u0000\u000f\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u001a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u00ba\u0010\u0000\u000e\u001f\u00b4\t\u00cd!\u00b8\u0001L\u00cd!\u0090\u0090This program must be run under Win32\r\n$7\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\b\u0000\u0019^B*\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u008e\u0081\u000b\u0001\u0002\u0019\u0000\u0088\u0000\u0000\u0000\u00ca\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0086\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u00a0\u0000\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0006\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0010\u0000\u0000\u0000\u0010\u0000\u0000@\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000h\r\u0000\u0000\u0000@\u0001\u0000T\u00aa\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00000\u0001\u0000\b\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0001\u0000\u0018\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000CODE\u0000\u0000\u0000\u0000d\u0087\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0088\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`DATA\u0000\u0000\u0000\u00000\u0001\u0000\u0000\u0000\u00a0\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u008c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0BSS\u0000\u0000\u0000\u0000\u0000\u00edN\u0000\u0000\u0000\u00b0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u008e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0.idata\u0000\u0000h\r\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0000\u0000\u008e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.tls\u0000\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000\u0010\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0.rdata\u0000\u0000\u0018\u0000\u0000\u0000\u0000 \u0001\u0000\u0000\u0002\u0000\u0000\u0000\u009c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P.reloc\u0000\u0000\b\n\u0000\u0000\u00000\u0001\u0000\u0000\f\u0000\u0000\u0000\u009e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P.rsrc\u0000\u0000\u0000T\u00aa\u0005\u0000\u0000@\u0001\u0000\u0000\u00ac\u0005\u0000\u0000\u00aa\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000P\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00ac\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00400000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 267
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "44e64a37460960f3e4c8ed166521679e8aa3ed96",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "",
"process_handle": "0x000000f8",
"base_address": "0x00401000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 271
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00002\u0013\u008b\u00c0\u0000\u008d@\u0000\u0000\u008d@\u0000\u0000\u008d@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000L\"@\u0000\u00d0\u001f@\u0000\u00d0\u001f@\u0000T\u0015@\u0000 \u0015@\u0000\u00d0\u001f@\u0000\u00d0\u001f@\u0000\u0000\u0000\u0000\u0000\u00b0\u0010@\u0000\u00c4\u0010@\u0000\u00e8\u0010@\u0000\u0000\u00cb\u00cc\u00c8\u00c9\u00d7\u00cf\u00c8\u00cd\u00ce\u00db\u00d8\u00ca\u00d9\u00da\u00dc\u00dd\u00de\u00df\u00e0\u00e1\u00e3\u0000\u00e4\u00e5\u008d@\u0000\u00d0\u001f@\u0000\u00d0\u001f@\u0000\u0010#@\u0000\u00ff\u00ff\u00ff\u00ff\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0004\u0000\u0000\u0000\b\u0000\u0000\u0000\u0000=@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u008d@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u008d@\u0000\u0000\u008d@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u008d@\u0000\u0000\u008d@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a0@\u0000\u00ec\u00c4@\u0000\u0090\u00b6@\u0000\u00e8\u00c4@\u0000\u00f8\u00c4@\u0000\u00e4\u00c4@\u0000\u00a4\u00c4@\u0000\u00c0\u00c4@\u0000\u00c8\u00c4@\u0000\f\u00d3@\u0000\u00dc\u00c4@\u0000\u00e0\u00c4@\u0000\u00bc\u00a0@\u0000\u0018\u00a0@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x0040a000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 274
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741583,
"api": "WriteProcessMemory",
"return_value": 0,
"arguments": {
"process_identifier": 856,
"buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0003\u0001\u0000,\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a4\u0004\u0001\u0000t\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ec\u0004\u0001\u0000\u0084\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0005\u0001\u0000\u00a0\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a2\t\u0001\u0000\u009c\u0002\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Z\u000b\u0001\u0000\u0000\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000v\u000b\u0001\u0000\b\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e8\u000b\u0001\u0000 \u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\n\f\u0001\u0000(\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.\f\u0001\u00000\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000|\f\u0001\u0000@\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u009e\f\u0001\u0000H\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00de\f\u0001\u0000X\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000L\r\u0001\u0000p\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0086\u0003\u0001\u0000\u009c\u0003\u0001\u0000\u00b2\u0003\u0001\u0000\u00c8\u0003\u0001\u0000\u00d6\u0003\u0001\u0000\u00f2\u0003\u0001\u0000\u00fe\u0003\u0001\u0000\u0010\u0004\u0001\u0000 \u0004\u0001\u0000.\u0004\u0001\u0000<\u0004\u0001\u0000J\u0004\u0001\u0000^\u0004\u0001\u0000l\u0004\u0001\u0000x\u0004\u0001\u0000\u0086\u0004\u0001\u0000\u0092\u0004\u0001\u0000\u0000\u0000\u0000\u0000\u00b2\u0004\u0001\u0000\u00c2\u0004\u0001\u0000\u00d8\u0004\u0001\u0000\u0000\u0000\u0000\u0000\u00fa\u0004\u0001\u0000\f\u0005\u0001\u0000 \u0005\u0001\u00000\u0005\u0001\u0000B\u0005\u0001\u0000R\u0005\u0001\u0000\u0000\u0000\u0000\u0000n\u0005\u0001\u0000z\u0005\u0001\u0000\u0090\u0005\u0001\u0000\u009c\u0005\u0001\u0000\u00b2\u0005\u0001\u0000\u00c6\u0005\u0001\u0000\u00d6\u0005\u0001\u0000\u00e4\u0005\u0001\u0000\u00f6\u0005\u0001\u0000\u0006\u0006\u0001\u0000\u0018\u0006\u0001\u0000,\u0006\u0001\u0000D\u0006\u0001\u0000L\u0006\u0001\u0000^\u0006\u0001\u0000r\u0006\u0001\u0000\u0086\u0006\u0001\u0000\u0094\u0006\u0001\u0000\u00a6\u0006\u0001\u0000\u00bc\u0006\u0001\u0000\u00cc\u0006\u0001\u0000\u00dc\u0006\u0001\u0000\u00ec\u0006\u0001\u0000\u0000\u0007\u0001\u0000",
"process_handle": "0x000000f8",
"base_address": "0x0040b000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 277
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000x\u0003\u0001\u0000,\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a4\u0004\u0001\u0000t\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00ec\u0004\u0001\u0000\u0084\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0005\u0001\u0000\u00a0\u0001\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00a2\t\u0001\u0000\u009c\u0002\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Z\u000b\u0001\u0000\u0000\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000v\u000b\u0001\u0000\b\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e8\u000b\u0001\u0000 \u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\n\f\u0001\u0000(\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.\f\u0001\u00000\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000|\f\u0001\u0000@\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u009e\f\u0001\u0000H\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00de\f\u0001\u0000X\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000L\r\u0001\u0000p\u0003\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0086\u0003\u0001\u0000\u009c\u0003\u0001\u0000\u00b2\u0003\u0001\u0000\u00c8\u0003\u0001\u0000\u00d6\u0003\u0001\u0000\u00f2\u0003\u0001\u0000\u00fe\u0003\u0001\u0000\u0010\u0004\u0001\u0000 \u0004\u0001\u0000.\u0004\u0001\u0000<\u0004\u0001\u0000J\u0004\u0001\u0000^\u0004\u0001\u0000l\u0004\u0001\u0000x\u0004\u0001\u0000\u0086\u0004\u0001\u0000\u0092\u0004\u0001\u0000\u0000\u0000\u0000\u0000\u00b2\u0004\u0001\u0000\u00c2\u0004\u0001\u0000\u00d8\u0004\u0001\u0000\u0000\u0000\u0000\u0000\u00fa\u0004\u0001\u0000\f\u0005\u0001\u0000 \u0005\u0001\u00000\u0005\u0001\u0000B\u0005\u0001\u0000R\u0005\u0001\u0000\u0000\u0000\u0000\u0000n\u0005\u0001\u0000z\u0005\u0001\u0000\u0090\u0005\u0001\u0000\u009c\u0005\u0001\u0000\u00b2\u0005\u0001\u0000\u00c6\u0005\u0001\u0000\u00d6\u0005\u0001\u0000\u00e4\u0005\u0001\u0000\u00f6\u0005\u0001\u0000\u0006\u0006\u0001\u0000\u0018\u0006\u0001\u0000,\u0006\u0001\u0000D\u0006\u0001\u0000L\u0006\u0001\u0000^\u0006\u0001\u0000r\u0006\u0001\u0000\u0086\u0006\u0001\u0000\u0094\u0006\u0001\u0000\u00a6\u0006\u0001\u0000\u00bc\u0006\u0001\u0000\u00cc\u0006\u0001\u0000\u00dc\u0006\u0001\u0000\u00ec\u0006\u0001\u0000\u0000\u0007\u0001\u0000\f\u0007\u0001\u0000\u001a\u0007\u0001\u0000*\u0007\u0001\u0000D\u0007\u0001\u0000T\u0007\u0001\u0000d\u0007\u0001\u0000t\u0007\u0001\u0000\u0082\u0007\u0001\u0000\u0090\u0007\u0001\u0000\u00a8\u0007\u0001\u0000\u00ba\u0007\u0001\u0000\u00ce\u0007\u0001\u0000\u00de\u0007\u0001\u0000\u00f4\u0007\u0001\u0000\u0006\b\u0001\u0000\u001a\b\u0001\u00000\b\u0001\u0000@\b\u0001\u0000P\b\u0001\u0000^\b\u0001\u0000t\b\u0001\u0000\u0086\b\u0001\u0000\u009c\b\u0001\u0000\u00b0\b\u0001\u0000\u00c2\b\u0001\u0000\u00d2\b\u0001\u0000\u00e0\b\u0001\u0000\u00f0\b\u0001\u0000\u0002\t\u0001\u0000\u0010\t\u0001\u0000\u001e\t\u0001\u0000.\t\u0001\u0000D\t\u0001\u0000V\t\u0001\u0000f\t\u0001\u0000t\t\u0001\u0000\u0088\t\u0001\u0000\u0094\t\u0001\u0000\u0000\u0000\u0000\u0000\u00ae\t\u0001\u0000\u00c4\t\u0001\u0000\u00d2\t\u0001\u0000\u00e6\t\u0001\u0000\u00fc\t\u0001\u0000\f\n\u0001\u0000\u001e\n\u0001\u0000.\n\u0001\u0000>\n\u0001\u0000L\n\u0001\u0000^\n\u0001\u0000z\n\u0001\u0000\u008c\n\u0001\u0000\u009c\n\u0001\u0000\u00b0\n\u0001\u0000\u00be\n\u0001\u0000\u00d4\n\u0001\u0000\u00e8\n\u0001\u0000\u00fc\n\u0001\u0000\u000e\u000b\u0001\u0000 \u000b\u0001\u0000.\u000b\u0001\u0000:\u000b\u0001\u0000H\u000b\u0001\u0000\u0000\u0000\u0000\u0000f\u000b\u0001\u0000\u0000\u0000\u0000\u0000\u0082\u000b\u0001\u0000\u009a\u000b\u0001\u0000\u00b8\u000b\u0001\u0000\u00c6\u000b\u0001\u0000\u00d8\u000b\u0001\u0000\u0000\u0000\u0000\u0000\u00f4\u000b\u0001\u0000\u0000\u0000\u0000\u0000\u0016\f\u0001\u0000\u0000\u0000\u0000\u0000<\f\u0001\u0000N\f\u0001\u0000`\f\u0001\u0000\u0000\u0000\u0000\u0000\u0086\f\u0001\u0000\u0000\u0000\u0000\u0000\u00aa\f\u0001\u0000\u00bc\f\u0001\u0000\u00ca\f\u0001\u0000\u0000\u0000\u0000\u0000\u00ea\f\u0001\u0000\u0000\r\u0001\u0000\u000e\r\u0001\u0000(\r\u0001\u00008\r\u0001\u0000\u0000\u0000\u0000\u0000X\r\u0001\u0000\u0000\u0000\u0000\u0000kernel32.dll\u0000\u0000\u0000\u0000GetCurrentThreadId\u0000\u0000\u0000\u0000WideCharToMultiByte\u0000\u0000\u0000MultiByteToWideChar\u0000\u0000\u0000ExitProcess\u0000\u0000\u0000UnhandledExceptionFilter\u0000\u0000\u0000\u0000RtlUnwind\u0000\u0000\u0000RaiseException\u0000\u0000\u0000\u0000GetSystemTime\u0000\u0000\u0000TlsSetValue\u0000\u0000\u0000TlsGetValue\u0000\u0000\u0000LocalAlloc\u0000\u0000\u0000\u0000GetModuleHandleA\u0000\u0000\u0000\u0000FreeLibrary\u0000\u0000\u0000HeapFree\u0000\u0000\u0000\u0000HeapReAlloc\u0000\u0000\u0000HeapAlloc\u0000\u0000\u0000GetProcessHeap\u0000\u0000oleaut32.dll\u0000\u0000\u0000\u0000SysFreeString\u0000\u0000\u0000SysReAllocStringLen\u0000\u0000\u0000SysAllocStringLen\u0000advapi32.dll\u0000\u0000\u0000\u0000RegSetValueExW\u0000\u0000\u0000\u0000RegQueryValueExW\u0000\u0000\u0000\u0000RegOpenKeyExW\u0000\u0000\u0000RegCreateKeyExW\u0000\u0000\u0000RegCreateKeyW\u0000\u0000\u0000RegCloseKey\u0000kernel32.dll\u0000\u0000\u0000\u0000lstrlenW\u0000\u0000\u0000\u0000WriteProcessMemory\u0000\u0000\u0000\u0000WriteFile\u0000\u0000\u0000WaitForSingleObject\u0000\u0000\u0000VirtualProtectEx\u0000\u0000\u0000\u0000VirtualFreeEx\u0000\u0000\u0000VirtualFree\u0000\u0000\u0000VirtualAllocEx\u0000\u0000\u0000\u0000VirtualAlloc\u0000\u0000\u0000\u0000TerminateThread\u0000\u0000\u0000TerminateProcess\u0000\u0000\u0000\u0000SystemTimeToFileTime\u0000\u0000\u0000\u0000Sleep\u0000\u0000\u0000SizeofResource\u0000\u0000\u0000\u0000SetThreadPriority\u0000\u0000\u0000SetThreadContext\u0000\u0000\u0000\u0000SetFileTime\u0000\u0000\u0000SetFilePointer\u0000\u0000\u0000\u0000SetFileAttributesW\u0000\u0000\u0000\u0000SetErrorMode\u0000\u0000\u0000\u0000SetEndOfFile\u0000\u0000\u0000\u0000ResumeThread\u0000\u0000\u0000\u0000ReadProcessMemory\u0000\u0000\u0000ReadFile\u0000\u0000\u0000\u0000OpenProcess\u0000\u0000\u0000LockResource\u0000\u0000\u0000\u0000LocalFileTimeToFileTime\u0000\u0000\u0000LoadResource\u0000\u0000\u0000\u0000LoadLibraryA\u0000\u0000\u0000\u0000GlobalUnlock\u0000\u0000\u0000\u0000GlobalSize\u0000\u0000\u0000\u0000GlobalLock\u0000\u0000\u0000\u0000GetWindowsDirectoryW\u0000\u0000\u0000\u0000GetTimeFormatW\u0000\u0000\u0000\u0000GetThreadContext\u0000\u0000\u0000\u0000GetTempPathW\u0000\u0000\u0000\u0000GetSystemDirectoryW\u0000\u0000\u0000GetProcAddress\u0000\u0000\u0000\u0000GetModuleHandleA\u0000\u0000\u0000\u0000GetModuleFileNameW\u0000\u0000\u0000\u0000GetLocalTime\u0000\u0000\u0000\u0000GetLastError\u0000\u0000\u0000\u0000GetFileSize\u0000\u0000\u0000GetFileAttributesW\u0000\u0000\u0000\u0000GetDateFormatW\u0000\u0000\u0000\u0000GetCurrentProcessId\u0000\u0000\u0000GetCurrentProcess\u0000\u0000\u0000GetCommandLineW\u0000\u0000\u0000FreeResource\u0000\u0000\u0000\u0000FreeLibrary\u0000\u0000\u0000FindResourceW\u0000\u0000\u0000FindFirstFileW\u0000\u0000\u0000\u0000ExitProcess\u0000\u0000\u0000DeleteFileW\u0000\u0000\u0000CreateThread\u0000\u0000\u0000\u0000CreateRemoteThread\u0000\u0000\u0000\u0000CreateProcessW\u0000\u0000\u0000\u0000CreateMutexW\u0000\u0000\u0000\u0000CreateFileW\u0000\u0000\u0000CreateDirectoryW\u0000\u0000\u0000\u0000CopyFileW\u0000\u0000\u0000CloseHandle\u0000user32.dll\u0000\u0000\u0000\u0000UnhookWindowsHookEx\u0000\u0000\u0000ShowWindow\u0000\u0000\u0000\u0000SetWindowsHookExW\u0000\u0000\u0000SetClipboardViewer\u0000\u0000\u0000\u0000SendMessageA\u0000\u0000\u0000\u0000RegisterClassW\u0000\u0000\u0000\u0000PostMessageA\u0000\u0000\u0000\u0000OpenClipboard\u0000\u0000\u0000MessageBoxW\u0000\u0000\u0000MapVirtualKeyW\u0000\u0000\u0000\u0000GetWindowThreadProcessId\u0000\u0000\u0000\u0000GetWindowTextW\u0000\u0000\u0000\u0000GetWindowRect\u0000\u0000\u0000GetKeyboardLayout\u0000\u0000\u0000GetKeyState\u0000\u0000\u0000GetForegroundWindow\u0000\u0000\u0000GetDesktopWindow\u0000\u0000\u0000\u0000GetClipboardData\u0000\u0000\u0000\u0000DefWindowProcA\u0000\u0000\u0000\u0000CloseClipboard\u0000\u0000\u0000\u0000CharUpperW\u0000\u0000\u0000\u0000CharNextW\u0000\u0000\u0000CharLowerW\u0000\u0000\u0000\u0000CallNextHookEx\u0000\u0000shlwapi.dll\u0000\u0000\u0000SHDeleteKeyW\u0000\u0000shell32.dll\u0000\u0000\u0000SHGetPathFromIDListW\u0000\u0000\u0000\u0000SHGetSpecialFolderLocation\u0000\u0000\u0000\u0000SHGetMalloc\u0000\u0000\u0000FindExecutableW\u0000\u0000\u0000ShellExecuteW\u0000urlmon.dll\u0000\u0000\u0000\u0000URLDownloadToFileW\u0000\u0000wininet.dll\u0000\u0000\u0000DeleteUrlCacheEntryW\u0000\u0000kernel32.dll\u0000\u0000\u0000\u0000Process32NextW\u0000\u0000\u0000\u0000Process32FirstW\u0000\u0000\u0000CreateToolhelp32Snapshot\u0000\u0000ntdll.dll\u0000\u0000\u0000NtUnmapViewOfSection\u0000\u0000user32.dll\u0000\u0000\u0000\u0000CreateWindowExW\u0000\u0000\u0000ToUnicodeEx\u0000\u0000\u0000GetKeyboardState\u0000\u0000wininet.dll\u0000\u0000\u0000InternetCloseHandle\u0000\u0000\u0000FtpPutFileW\u0000\u0000\u0000FtpSetCurrentDirectoryW\u0000\u0000\u0000InternetOpenW\u0000\u0000\u0000InternetConnectW\u0000\u0000shell32.dll\u0000\u0000\u0000ShellExecuteW\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00410000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 280
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 87,
"nt_status": -1073741583,
"api": "WriteProcessMemory",
"return_value": 0,
"arguments": {
"process_identifier": 856,
"buffer": "\u0000\u0010A\u0000\b\u0010A\u0000x\u00a0@\u0000\u0010 A\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u00c4\u0000\u0000\u0000\u00000\u00120\u001a0\"0*020:0B0J0R0Z0b0j0r0z0\u00820\u008a0\u00920\u009a0\u00a20\u00aa0\u00b20\u00b80\u00c90\u00d20\u00eb0\u00f40\u00061\u001e1?1X1q1\u00821\u00971\u00a41\u00c41z2\u00a92\u00b42\u00c52\u00da2\u00f02\b3\u00163J3f3r3\u00863\u00b33\u00e03\u00e93\u001b4$4Y4`4\u00824\u00cf4%5_5e5v5\u00855\u008b5\u00995\u00a95\u00bc5\u00c65\u00ca5\u00d05\u00d45\u00d95\u00e05\u00e65\u00ee5\u00f45 6*6Q6V6[6}6\u00866\u009c6\u00b46\u00cf6\u00ee6\u00f76\u001d7*7};M?W?\u00f5?\u00fe?\u0000 \u0000\u0000D\u0001\u0000\u0000\t0\u000e0\u00160>2E2R2\u008b2\u00972\u009f2\u00a52\u00b22\u00c22\u00cf2\u00d52\u00d92\u00e02\u00e92\u00f22\u00033b3\u008c3\u009a3\u009f3\u00b83\u00c83\u00d93\u00ea3\u00f63\u00fb3\u00004\u00074\u000e4\u00184\/4;4B4T4f4s44\u008c4\u009e4\u00a64\u00ae4\u00b64\u00be4\u00c64\u00ce4\u00d64\u00de4\u00e64\u00ee4\u00f64\u001e5&5.565>5F5N5V5^5f5n5v5~5\u00865\u008e5\u00965\u009e5\u00a65\u00ae5\u00b65\u00be5\u00c65\u00ce5\u00d65\u00de5\u00e65\u00ee5\u00f65\u00fe5\u00066\u000e6\u00166\u001e6&6.666>6F6N6V6^6f6n6v6~6\u00866\u008e6\u00966\u009e6\u00a66\u00ae6\u00b66\u00be6\u00c66\u00ce6\u00d66\u00de6\u00e66\u00ee6\u00f66\u00fe6\u00067\u000e7\u00167\u001e7&7.767>7F7N7V7^7f7n7v7~7\u00867\u008e7\u00967\u009e7\u00bb7\u00c77\u00d47\u00e67\u00ee7\u00f67R8\u00878\u00139$9E9\u0006:2:\u0084:\u000e;\u0016;\u001e;7;h;\u00be;\u00e0;\u0014>\u001f>{>\u00000\u0000\u0000\u00ac\u0000\u0000\u0000\u00111e1\u00821\u008a1R2p2\u00a12\u00c32\u00c23\u00ca3\u00d23\u00c54W55\u008b5\u00925\u00a45\u00b85\u00bc5\u00c25\u00ca5\u00816\u00916\u009c6\u00aa6\u00b76\u00ff6\u00167H7\\7z7\u001a8\u001f8\u00968\u00be8\u0085;\u0096;\u00c3;\u00c9;\u00d4;\u00eb;\u00fc;\u001e<)<\/<:<@\u001b>'>4>F>S>_>l>~>\u008b>\u0097>\u00a4>\u00b6>\u008d?\u0000\u0000\u0000@\u0000\u0000\u00d4\u0000\u0000\u0000\u00041+171>1H1R1d1x1|1\u00801\u00841\u008a1\u00921\u00df1\u00ec1\u00f21\u00fc1\b2\u00112\u00192(2-272<2B2N2e22\u00a02\u00a62\u00b22\u00bf2\u00d62\u00dc2\u00ed2\u00f32\u00103\u00163#363C3I3S3j3\u00b63\u00be3\u00f73\u00054\u00104O4\u00ab4\u00c04\u00dc4&5\u00af5\u00eb5d6\u00ca6\u00ed6\u001a73788=8K8Y8\u00e48\u00169\u00e29):9:F:\u0083;\u00cc;\u00e4;\u00f7;><\u009b<\u00b4<\u00d8<=\u008b=\u0092=\u009c=\u00a7=\u00b9=\u00cc=\u00d0=\u00d6=\u00de=\u00ea=\u00f2=X>\u00a2>\u00d4>\u001e?@?U?{?\u0088?\u0090?\u00a2?\u00f2?\u0000P\u0000\u0000\u0090\u0001\u0000\u0000\u00180\u00820\u008f0\u00970\u00a90\u00f90\u00181\u00f02'3.3&4*4.42464:4>4B4F4J4N4R4V4Z4^4b4f4j4n4r4v4z4~4\u00824\u00864\u008a4\u008e4\u00924\u00964\u009a4\u009e4\u00a24\u00a64\u00aa4\u00ae4\u00b24\u00b64\u00ba4\u00be4\u00c24\u00c64\u00ca4\u00ce4\u00d24\u00d64\u00da4\u00de4\u00e24\u00e64\u00ea4\u00ee4\u00f24\u00f64\u00fa4\u00fe4\u00025\u00065\n5\u000e5\u00125\u00165\u001a5\u001e5\"5&5*5.52565:5>5B5F5J5N5R5V5Z5^5b5f5j5n5r5v5z5~5\u00825\u00895\u009a5\u00ab5\u00bc5\u00cd5\u00de5\u00ef5\u00006\u00116\"636D6U6f6w6\u00886\u00996\u00aa6\u00bb6\u00cc6\u00dd6\u00ee6\u00ff6\u00107!727C7T7e7v7\u00877\u00987\u00a97\u00ba7\u00cb7\u00dc7\u00ed7\u00fe7\u000f8 818B8S8d8u8\u00868\u00978\u00a88\u00b98\u00ca8\u00db8\u00ec8\u00fd8\u000e9\u001f909A9R9c9t9\u00859\u00969\u00a79\u00b89\u00c99\u00da9\u00eb9\u00fc9\r:\u001e:\/:@:Q:b:s:\u0084:\u0095:\u00a6:\u00b4:\u00c2:\u00d0:\u00de:\u00ec:\u00fa:\b;\u0016;$;:;D;T;f;\u00ab;G<`\u0010>7>U>a>u>}>\u008a>\u009a>\u00bb>\u00c9>\u00d4>\u00e0>\u00ea>\u00f4>\u00fc>\u000e?\u00ce?\u0000\u0000\u0000p\u0000\u0000\u00f4\u0000\u0000\u0000\u00030m0\u009e0\u00ba0\u00071\r1\u00131\u00191-171J1P1d1y1\u00881\u008e1\u00a61\u00bd1\u00c71\u00d81\u00ec1H2\u00922\u009b2\u00d52\u00ed2\u00fe2l3\u00843\u00923\u00a13\u00d23\u00f13\u00f63\u00fb3\u00004\f4\u00114$414C4N4Z4d4\u00814\u00d74\u00dd4\u00e34\u00eb4\u00f74\u00fe4\u000e5(53595G5\u00835\u008e5\u00975\u009f5\u00b05\u00d65\u00e05\u00f65\u00fc5\n6\u00156!6*626>6L6\u00826\u008a6\u00926\u009a6\u00a2677C7J7\\7s77\u008d7\u00fc7\u00018\u000f8\u001e8r8|8\u00868\u00908\u009a8\u00d98\u00e08\u00ec8\u001c949P9k9\u00b89\u00fa9H:~:\u001b;\u0098;a\u00cc>\u00ed>f?p?z?\u0084?\u008e?\u0099?\u009e?\u0000\u0000\u0000\u0080\u0000\u0000\b\u0002\u0000\u0000\u00e70\u00f20\u00fc0\u00061\u00101\u001a1%1]1j1{1\u00991\u00a01\u00a51\u00b21\u00d01\u00d71\u00dc1\u00e91\u00f01\u000e2\u00192 2.292@2N2q2\u00a42\u00c02\u00d62\u00f02'3D3O3n3{3\u00843\u00993\u00be3\u000b5\u00165 5*545F5X5\\5`5d5h5l5p5t5x5|5\u00805\u00845\u00885\u008c5\u00905\u00945\u00985\u009c5\u00a05\u00a45\u00a85\u00ac5\u00b05\u00b45\u00b85\u00bc5\u00c05\u00c45\u00c85\u00cc5\u00d05\u00d85\u00e05\u00e45\u00e85\u00ec5\u00f05\u00f45\u00f85\u00fc5\u00136 6+656f6\u00806\u00936\u00bf6\u00e16\u00ed6\u00f26\u00017\u00157!7\/7H7V7k7w7\u00857\u00ad7\u00ba7\u00c07\u00cc7\u00d27\u00d77\u00e17\u00f07\u00fb7\u00068\"8D8P8U88\u00848\u008e8\u00988\u00a28\u00b48\u00cd8\u00e38\u00ef8\u00fd8\u001b919>9J9`9m9\u00a19\u00ad9\u00b79\u00be9\u00c39\u00cf9\u00df9\u00f09\u00ff9\u000b:\u0010:\u001c:(:4:?:U:f:w:\u0087:\u009f:\u00f7:\u0019;o;\u0094;\u009e;\u00af;\u00b4;\u00c0;\u00c8;\u00cd;\u00d9;\u00e8;\u00ed;\u00f9;\u0007<\r<\u0017<.<:\u0007>\f>\u0016>\u001b> >5>?>D>I>S>Z>_>i>n>s>}>\u0086>\u0091>\u00a7>\u00b8>\u00c5>\u00d1>\t?\u0015?\u001a?$?0?5?K?Y?c?n?u?z?\u0087?\u0094?\u00aa?\u00ba?\u00ce?\u00e0?\u00e6?\u00f0?\u00fc?\u0000\u0000\u0000\u0090\u0000\u0000\u00dc\u0000\u0000\u0000#0:0I0T0Y0^0~0\u00870\u008e0\u00940\u009e0\u00a90\u00b60\u00bc0\u00c60\u00d70\u00eb0\u00151\u001f1$1*141@1g1~1\u008d1\u00981\u009d1\u00a21\u00b51\u00d01\u00e51\u00f51\u00fa1\t2\u00192!2)24292C2I2t2|2\u00872\u008c2\u00962\u00a62\u00bb2\u00cb2\u00d02\u00df2\u00ef2\u00f72\u00ff2\n3\u000f3\u00193\u001f3J3R3]3b3l3|3\u00923\u00a23\u00a73\u00b63\u00c63\u00ce3\u00d63\u00e13\u00e63\u00f03\u00f63!4)44494C4M4R4W4a4q4y4\u00814\u008c4\u00914\u009b4\u00a14\u00c84\u00d04\u00db4\u00e04\u00ea4\u00fd4\b5\u00105\u00185#5<5B5V5\u0000\u0000\u0000\u00a0\u0000\u0000@\u0000\u0000\u0000$0(0,0004080<0D0H0L0l0p0t0\u00b00\u00f80\u00fc0\u00001\u00041\b1\f1\u00101\u00141\u00181\u001c1 1$1(1,1\u0000 \u0001\u0000\u0014\u0000\u0000\u0000\u00000\u00040\b0\f0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00411000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 283
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "\u0000\u0010A\u0000\b\u0010A\u0000x\u00a0@\u0000\u0010 A\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00412000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 286
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "\u0000\u0010\u0000\u0000\u00c4\u0000\u0000\u0000\u00000\u00120\u001a0\"0*020:0B0J0R0Z0b0j0r0z0\u00820\u008a0\u00920\u009a0\u00a20\u00aa0\u00b20\u00b80\u00c90\u00d20\u00eb0\u00f40\u00061\u001e1?1X1q1\u00821\u00971\u00a41\u00c41z2\u00a92\u00b42\u00c52\u00da2\u00f02\b3\u00163J3f3r3\u00863\u00b33\u00e03\u00e93\u001b4$4Y4`4\u00824\u00cf4%5_5e5v5\u00855\u008b5\u00995\u00a95\u00bc5\u00c65\u00ca5\u00d05\u00d45\u00d95\u00e05\u00e65\u00ee5\u00f45 6*6Q6V6[6}6\u00866\u009c6\u00b46\u00cf6\u00ee6\u00f76\u001d7*7};M?W?\u00f5?\u00fe?\u0000 \u0000\u0000D\u0001\u0000\u0000\t0\u000e0\u00160>2E2R2\u008b2\u00972\u009f2\u00a52\u00b22\u00c22\u00cf2\u00d52\u00d92\u00e02\u00e92\u00f22\u00033b3\u008c3\u009a3\u009f3\u00b83\u00c83\u00d93\u00ea3\u00f63\u00fb3\u00004\u00074\u000e4\u00184\/4;4B4T4f4s44\u008c4\u009e4\u00a64\u00ae4\u00b64\u00be4\u00c64\u00ce4\u00d64\u00de4\u00e64\u00ee4\u00f64\u001e5&5.565>5F5N5V5^5f5n5v5~5\u00865\u008e5\u00965\u009e5\u00a65\u00ae5\u00b65\u00be5\u00c65\u00ce5\u00d65\u00de5\u00e65\u00ee5\u00f65\u00fe5\u00066\u000e6\u00166\u001e6&6.666>6F6N6V6^6f6n6v6~6\u00866\u008e6\u00966\u009e6\u00a66\u00ae6\u00b66\u00be6\u00c66\u00ce6\u00d66\u00de6\u00e66\u00ee6\u00f66\u00fe6\u00067\u000e7\u00167\u001e7&7.767>7F7N7V7^7f7n7v7~7\u00867\u008e7\u00967\u009e7\u00bb7\u00c77\u00d47\u00e67\u00ee7\u00f67R8\u00878\u00139$9E9\u0006:2:\u0084:\u000e;\u0016;\u001e;7;h;\u00be;\u00e0;\u0014>\u001f>{>\u00000\u0000\u0000\u00ac\u0000\u0000\u0000\u00111e1\u00821\u008a1R2p2\u00a12\u00c32\u00c23\u00ca3\u00d23\u00c54W55\u008b5\u00925\u00a45\u00b85\u00bc5\u00c25\u00ca5\u00816\u00916\u009c6\u00aa6\u00b76\u00ff6\u00167H7\\7z7\u001a8\u001f8\u00968\u00be8\u0085;\u0096;\u00c3;\u00c9;\u00d4;\u00eb;\u00fc;\u001e<)<\/<:<@\u001b>'>4>F>S>_>l>~>\u008b>\u0097>\u00a4>\u00b6>\u008d?\u0000\u0000\u0000@\u0000\u0000\u00d4\u0000\u0000\u0000\u00041+171>1H1R1d1x1|1\u00801\u00841\u008a1\u00921\u00df1\u00ec1\u00f21\u00fc1\b2\u00112\u00192(2-272<2B2N2e22\u00a02\u00a62\u00b22\u00bf2\u00d62\u00dc2\u00ed2\u00f32\u00103\u00163#363C3I3S3j3\u00b63\u00be3\u00f73\u00054\u00104O4\u00ab4\u00c04\u00dc4&5\u00af5\u00eb5d6\u00ca6\u00ed6\u001a73788=8K8Y8\u00e48\u00169\u00e29):9:F:\u0083;\u00cc;\u00e4;\u00f7;><\u009b<\u00b4<\u00d8<=\u008b=\u0092=\u009c=\u00a7=\u00b9=\u00cc=\u00d0=\u00d6=\u00de=\u00ea=\u00f2=X>\u00a2>\u00d4>\u001e?@?U?{?\u0088?\u0090?\u00a2?\u00f2?\u0000P\u0000\u0000\u0090\u0001\u0000\u0000\u00180\u00820\u008f0\u00970\u00a90\u00f90\u00181\u00f02'3.3&4*4.42464:4>4B4F4J4N4R4V4Z4^4b4f4j4n4r4v4z4~4\u00824\u00864\u008a4\u008e4\u00924\u00964\u009a4\u009e4\u00a24\u00a64\u00aa4\u00ae4\u00b24\u00b64\u00ba4\u00be4\u00c24\u00c64\u00ca4\u00ce4\u00d24\u00d64\u00da4\u00de4\u00e24\u00e64\u00ea4\u00ee4\u00f24\u00f64\u00fa4\u00fe4\u00025\u00065\n5\u000e5\u00125\u00165\u001a5\u001e5\"5&5*5.52565:5>5B5F5J5N5R5V5Z5^5b5f5j5n5r5v5z5~5\u00825\u00895\u009a5\u00ab5\u00bc5\u00cd5\u00de5\u00ef5\u00006\u00116\"636D6U6f6w6\u00886\u00996\u00aa6\u00bb6\u00cc6\u00dd6\u00ee6\u00ff6\u00107!727C7T7e7v7\u00877\u00987\u00a97\u00ba7\u00cb7\u00dc7\u00ed7\u00fe7\u000f8 818B8S8d8u8\u00868\u00978\u00a88\u00b98\u00ca8\u00db8\u00ec8\u00fd8\u000e9\u001f909A9R9c9t9\u00859\u00969\u00a79\u00b89\u00c99\u00da9\u00eb9\u00fc9\r:\u001e:\/:@:Q:b:s:\u0084:\u0095:\u00a6:\u00b4:\u00c2:\u00d0:\u00de:\u00ec:\u00fa:\b;\u0016;$;:;D;T;f;\u00ab;G<`\u0010>7>U>a>u>}>\u008a>\u009a>\u00bb>\u00c9>\u00d4>\u00e0>\u00ea>\u00f4>\u00fc>\u000e?\u00ce?\u0000\u0000\u0000p\u0000\u0000\u00f4\u0000\u0000\u0000\u00030m0\u009e0\u00ba0\u00071\r1\u00131\u00191-171J1P1d1y1\u00881\u008e1\u00a61\u00bd1\u00c71\u00d81\u00ec1H2\u00922\u009b2\u00d52\u00ed2\u00fe2l3\u00843\u00923\u00a13\u00d23\u00f13\u00f63\u00fb3\u00004\f4\u00114$414C4N4Z4d4\u00814\u00d74\u00dd4\u00e34\u00eb4\u00f74\u00fe4\u000e5(53595G5\u00835\u008e5\u00975\u009f5\u00b05\u00d65\u00e05\u00f65\u00fc5\n6\u00156!6*626>6L6\u00826\u008a6\u00926\u009a6\u00a2677C7J7\\7s77\u008d7\u00fc7\u00018\u000f8\u001e8r8|8\u00868\u00908\u009a8\u00d98\u00e08\u00ec8\u001c949P9k9\u00b89\u00fa9H:~:\u001b;\u0098;a\u00cc>\u00ed>f?p?z?\u0084?\u008e?\u0099?\u009e?\u0000\u0000\u0000\u0080\u0000\u0000\b\u0002\u0000\u0000\u00e70\u00f20\u00fc0\u00061\u00101\u001a1%1]1j1{1\u00991\u00a01\u00a51\u00b21\u00d01\u00d71\u00dc1\u00e91\u00f01\u000e2\u00192 2.292@2N2q2\u00a42\u00c02\u00d62\u00f02'3D3O3n3{3\u00843\u00993\u00be3\u000b5\u00165 5*545F5X5\\5`5d5h5l5p5t5x5|5\u00805\u00845\u00885\u008c5\u00905\u00945\u00985\u009c5\u00a05\u00a45\u00a85\u00ac5\u00b05\u00b45\u00b85\u00bc5\u00c05\u00c45\u00c85\u00cc5\u00d05\u00d85\u00e05\u00e45\u00e85\u00ec5\u00f05\u00f45\u00f85\u00fc5\u00136 6+656f6\u00806\u00936\u00bf6\u00e16\u00ed6\u00f26\u00017\u00157!7\/7H7V7k7w7\u00857\u00ad7\u00ba7\u00c07\u00cc7\u00d27\u00d77\u00e17\u00f07\u00fb7\u00068\"8D8P8U88\u00848\u008e8\u00988\u00a28\u00b48\u00cd8\u00e38\u00ef8\u00fd8\u001b919>9J9`9m9\u00a19\u00ad9\u00b79\u00be9\u00c39\u00cf9\u00df9\u00f09\u00ff9\u000b:\u0010:\u001c:(:4:?:U:f:w:\u0087:\u009f:\u00f7:\u0019;o;\u0094;\u009e;\u00af;\u00b4;\u00c0;\u00c8;\u00cd;\u00d9;\u00e8;\u00ed;\u00f9;\u0007<\r<\u0017<.<:\u0007>\f>\u0016>\u001b> >5>?>D>I>S>Z>_>i>n>s>}>\u0086>\u0091>\u00a7>\u00b8>\u00c5>\u00d1>\t?\u0015?\u001a?$?0?5?K?Y?c?n?u?z?\u0087?\u0094?\u00aa?\u00ba?\u00ce?\u00e0?\u00e6?\u00f0?\u00fc?\u0000\u0000\u0000\u0090\u0000\u0000\u00dc\u0000\u0000\u0000#0:0I0T0Y0^0~0\u00870\u008e0\u00940\u009e0\u00a90\u00b60\u00bc0\u00c60\u00d70\u00eb0\u00151\u001f1$1*141@1g1~1\u008d1\u00981\u009d1\u00a21\u00b51\u00d01\u00e51\u00f51\u00fa1\t2\u00192!2)24292C2I2t2|2\u00872\u008c2\u00962\u00a62\u00bb2\u00cb2\u00d02\u00df2\u00ef2\u00f72\u00ff2\n3\u000f3\u00193\u001f3J3R3]3b3l3|3\u00923\u00a23\u00a73\u00b63\u00c63\u00ce3\u00d63\u00e13\u00e63\u00f03\u00f63!4)44494C4M4R4W4a4q4y4\u00814\u008c4\u00914\u009b4\u00a14\u00c84\u00d04\u00db4\u00e04\u00ea4\u00fd4\b5\u00105\u00185#5<5B5V5\u0000\u0000\u0000\u00a0\u0000\u0000@\u0000\u0000\u0000$0(0,0004080<0D0H0L0l0p0t0\u00b00\u00f80\u00fc0\u00001\u00041\b1\f1\u00101\u00141\u00181\u001c1 1$1(1,1\u0000 \u0001\u0000\u0014\u0000\u0000\u0000\u00000\u00040\b0\f0\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x000000f8",
"base_address": "0x00413000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 289
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "6f08d15a36a8315f0d07354dcb36dfb799970edf",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "",
"process_handle": "0x000000f8",
"base_address": "0x00414000"
},
"time": 1584247987.062625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 292
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtGetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000d0"
},
"time": 1584247987.687625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 294
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 856,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x000000f8",
"base_address": "0x7efde008"
},
"time": 1584247987.687625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 296
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000d0",
"registers": {
"eip": 2008678852,
"esp": 1638384,
"edi": 0,
"eax": 4228608,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 856
},
"time": 1584247987.687625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 298
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000d0",
"suspend_count": 1,
"process_identifier": 856
},
"time": 1584247989.000625,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 300
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 816,
"thread_handle": "0x00000160",
"process_identifier": 1616,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "svchost.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000168",
"inherit_handles": 0
},
"time": 1584247994.359124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 191
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1616,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000168",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247994.468124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 199
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "2f70fcc9396f60d8f9b137cf138d75387e143ad6",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1616,
"buffer": "",
"process_handle": "0x00000168",
"base_address": "0x00400000"
},
"time": 1584247994.468124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 200
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 368,
"thread_handle": "0x00000178",
"process_identifier": 2236,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000174",
"inherit_handles": 0
},
"time": 1584247994.859124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 277
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2648,
"thread_handle": "0x00000170",
"process_identifier": 2184,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "explorer.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000164",
"inherit_handles": 0
},
"time": 1584247995.015124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 288
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2184,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000164",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247995.125124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 296
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "28ed533cbf5c76005356fdb12535242529017aae",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2184,
"buffer": "",
"process_handle": "0x00000164",
"base_address": "0x00400000"
},
"time": 1584247995.125124,
"tid": 2968,
"flags": {}
},
"pid": 856,
"type": "call",
"cid": 297
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247996.640124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 313
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 1996,
"thread_handle": "0x000000e4",
"process_identifier": 2268,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000164",
"inherit_handles": 0
},
"time": 1584247997.187124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 320
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2624,
"thread_handle": "0x00000184",
"process_identifier": 3048,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x0000017c",
"inherit_handles": 0
},
"time": 1584247997.328124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 334
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247997.437124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 342
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2328,
"thread_handle": "0x0000018c",
"process_identifier": 1348,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000188",
"inherit_handles": 0
},
"time": 1584247997.968124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 349
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 800,
"thread_handle": "0x00000194",
"process_identifier": 552,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000190",
"inherit_handles": 0
},
"time": 1584247998.125124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 363
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247998.234124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 371
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2148,
"thread_handle": "0x0000019c",
"process_identifier": 3000,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000198",
"inherit_handles": 0
},
"time": 1584247998.781124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 378
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2356,
"thread_handle": "0x000001a4",
"process_identifier": 608,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x000001a0",
"inherit_handles": 0
},
"time": 1584247998.937124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 392
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247999.047124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 400
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2448,
"thread_handle": "0x000001ac",
"process_identifier": 1092,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x000001a8",
"inherit_handles": 0
},
"time": 1584247999.593124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 407
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2924,
"thread_handle": "0x000001b4",
"process_identifier": 2504,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x000001b0",
"inherit_handles": 0
},
"time": 1584247999.750124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 421
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584247999.859124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 429
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2500,
"thread_handle": "0x000001bc",
"process_identifier": 1676,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x000001b8",
"inherit_handles": 0
},
"time": 1584248000.406124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 436
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2132,
"thread_handle": "0x000001c4",
"process_identifier": 2752,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x000001c0",
"inherit_handles": 0
},
"time": 1584248000.562124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 450
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584248000.672124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 458
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 1504,
"thread_handle": "0x000001cc",
"process_identifier": 3020,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x000001c8",
"inherit_handles": 0
},
"time": 1584248001.218124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 465
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 1132,
"thread_handle": "0x000001d4",
"process_identifier": 2248,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x000001d0",
"inherit_handles": 0
},
"time": 1584248001.375124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 479
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584248001.484124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 487
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 3036,
"thread_handle": "0x000001dc",
"process_identifier": 2868,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x000001d8",
"inherit_handles": 0
},
"time": 1584248002.015124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 494
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 1476,
"thread_handle": "0x000001e4",
"process_identifier": 2668,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x000001e0",
"inherit_handles": 0
},
"time": 1584248002.172124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 508
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 6,
"nt_status": -1073741816,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225480,
"arguments": {
"process_identifier": 0,
"region_size": 454656,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000002",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1584248002.281124,
"tid": 2968,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 856,
"type": "call",
"cid": 516
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 1096,
"thread_handle": "0x000001ec",
"process_identifier": 2312,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x000001e8",
"inherit_handles": 0
},
"time": 1584248002.828124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 523
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2660,
"thread_handle": "0x000001f4",
"process_identifier": 2308,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x000001f0",
"inherit_handles": 0
},
"time": 1584248002.984124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 856,
"type": "call",
"cid": 537
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 1224,
"thread_handle": "0x0000037c",
"process_identifier": 2056,
"current_directory": "C:\\Users\\cuck\\AppData\\Local\\Temp",
"filepath": "C:\\Windows\\InstallDir\\Server.exe",
"track": 1,
"command_line": "\"C:\\Windows\\InstallDir\\Server.exe\" ",
"filepath_r": "C:\\Windows\\InstallDir\\Server.exe",
"stack_pivoted": 0,
"creation_flags": 67634192,
"process_handle": "0x000003d0",
"inherit_handles": 0
},
"time": 1584248004.281124,
"tid": 2968,
"flags": {
"creation_flags": "CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT"
}
},
"pid": 856,
"type": "call",
"cid": 803
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2296,
"thread_handle": "0x000000d0",
"process_identifier": 2360,
"current_directory": "",
"filepath": "C:\\Windows\\InstallDir\\Server.exe",
"track": 1,
"command_line": "",
"filepath_r": "C:\\Windows\\InstallDir\\Server.exe",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x000000f8",
"inherit_handles": 0
},
"time": 1584248004.453124,
"tid": 1224,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 2056,
"type": "call",
"cid": 262
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtUnmapViewOfSection",
"return_value": 0,
"arguments": {
"process_identifier": 2360,
"region_size": 4096,
"process_handle": "0x000000f8",
"base_address": "0x00400000"
},
"time": 1584248004.453124,
"tid": 1224,
"flags": {}
},
"pid": 2056,
"type": "call",
"cid": 264
}
],
"references": [],
"name": "injection_runpe"
}
] Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.1261348724365234,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5226,
"time": 9.127351999282837,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7070,
"time": 3.0527400970458984,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7398,
"time": 1.068058967590332,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7726,
"time": 3.0729639530181885,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8054,
"time": 1.5227980613708496,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8382,
"time": -0.040383100509643555,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8710,
"time": 1.5834438800811768,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28120,
"time": 1.0842080116271973,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36504,
"time": 3.1573660373687744,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "d4bb6dbe3fc828b0ff88eaa838697047b9b77b6842c2d529c70e3eff4c05fd10",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "075a35ca542ad0752f8b90fcfe6b3e6bdeb99e7708fba5f4bd8e0afabf9875dc",
"irc": [],
"https_ex": []
}Screenshots
cheese.exe removal instructions
The instructions below shows how to remove cheese.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the cheese.exe file for removal, restart your computer and scan it again to verify that cheese.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate cheese.exe in the scan result and tick the checkbox next to the cheese.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate cheese.exe in the scan result.
c:\downloads\cheese.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the cheese.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If cheese.exe still remains in the scan result, proceed with the next step. If cheese.exe is gone from the scan result you're done.
- If cheese.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that cheese.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 648748b170b6931da6865d8c33dae1ba |
| SHA256 | 53a23c2c6879ead4cdc3456645c41d523082a8406d498dc4689d32a7a583e0ac |
Error Messages
These are some of the error messages that can appear related to cheese.exe:
cheese.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
cheese.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
cheese.exe has stopped working.
End Program - cheese.exe. This program is not responding.
cheese.exe is not a valid Win32 application.
cheese.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with cheese.exe?
To help other users, please let us know what you will do with cheese.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.