What is lib1g.exe?
lib1g.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected lib1g.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
lib1g.exe is not signed.
VirusTotal report
59 of the 72 anti-virus programs at VirusTotal detected the lib1g.exe file. That's a 82% detection rate.
| Scanner | Detection Name |
|---|---|
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKD.2893550 |
| AegisLab | Trojan.Win32.Generic.4!c |
| AhnLab-V3 | Trojan/Win32.Inject.C1300223 |
| Alibaba | VirTool:Win32/CeeInject.848b5b14 |
| ALYac | Trojan.GenericKD.2893550 |
| Antiy-AVL | Trojan/Win32.Yakes |
| APEX | Malicious |
| Arcabit | Trojan.Generic.D2C26EE |
| Avast | Win32:Crypt-SKT [Trj] |
| AVG | Win32:Crypt-SKT [Trj] |
| Avira | HEUR/AGEN.1029147 |
| BitDefender | Trojan.GenericKD.2893550 |
| CAT-QuickHeal | Ransomware.Generic.WR4 |
| Comodo | Malware@#25r0qou3070vo |
| CrowdStrike | win/malicious_confidence_80% (W) |
| Cybereason | malicious.e8c115 |
| Cylance | Unsafe |
| Cyren | W32/PWS.TOII-4432 |
| DrWeb | Trojan.Packed.40547 |
| eGambit | Generic.Malware |
| Emsisoft | Trojan.GenericKD.2893550 (B) |
| Endgame | malicious (high confidence) |
| ESET-NOD32 | Win32/Spy.Ursnif.AO |
| F-Secure | Heuristic.HEUR/AGEN.1029147 |
| FireEye | Generic.mg.8ede3ace8c115bd3 |
| Fortinet | W32/Injector.CMZS!tr |
| GData | Trojan.GenericKD.2893550 |
| Ikarus | Trojan.Win32.PSW |
| Invincea | heuristic |
| Jiangmin | Trojan.Yakes.czq |
| K7AntiVirus | Trojan ( 004d7cf71 ) |
| K7GW | Trojan ( 004d7cf71 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| Malwarebytes | Trojan.Tinba |
| MAX | malware (ai score=100) |
| McAfee | Trojan-FHLO!8EDE3ACE8C11 |
| McAfee-GW-Edition | BehavesLike.Win32.GameVance.fc |
| Microsoft | TrojanSpy:Win32/Ursnif.HN |
| MicroWorld-eScan | Trojan.GenericKD.2893550 |
| NANO-Antivirus | Trojan.Win32.MlwGen.dyxskv |
| Paloalto | generic.ml |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM10.1.Malware.Gen |
| Rising | Malware.Obscure/Heur!1.9E03 (CLASSIC) |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Androm-EY |
| SUPERAntiSpyware | Trojan.Agent/Gen-Filecoder |
| Symantec | Packed.Generic.505 |
| Tencent | Win32.Trojan.Inject.Auto |
| Trapmine | malicious.high.ml.score |
| TrendMicro | TSPY_HPDYRE.SM |
| TrendMicro-HouseCall | TSPY_HPDYRE.SM |
| VBA32 | Heur.Malware-Cryptor.Filecoder |
| ViRobot | Trojan.Win32.Agent.210432.T |
| Webroot | Trojan.Dropper.Gen |
| Yandex | Trojan.Yakes!h3qTl8ymTqs |
| Zillya | Trojan.Injector.Win32.364286 |
| ZoneAlarm | HEUR:Trojan.Win32.Generic |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B"
],
"dll_loaded": [
"C:\\Windows\\system32\\IMM32.DLL",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"SETUPAPI.dll",
"kernel32.dll",
"gdi32.dll",
"user32.dll",
"KERNEL32.dll",
"OLEAUT32.dll",
"rpcrt4.dll",
"ADVAPI32.dll",
"ntdll.dll",
"PSAPI.DLL",
"SHLWAPI.dll",
"USER32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"C:\\Windows\\System32\\ntdll.dll",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"C:\\Windows\\System32\\C_1252.NLS"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\Microsoft\\C168F9CF-2C2B-9BAC-3E85-20FF528954A3",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_USERS\\(Default)",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\\"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\"",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\cuckoo_1788.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\\"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat\"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B"
],
"mutex": [
"{A52878D9-C0C1-1F4A-F2A9-F4C346ED68A7}"
],
"file_failed": [
"C:\\cuckoo_1788.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat"
],
"command_line": [
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat\" \"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" \"C:\\Users\\cuck\\AppData\\Local\\Temp\\5B71B3~1.BIN\"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin",
"cmd \/C \"\"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" \"C:\\Users\\cuck\\AppData\\Local\\Temp\\5B71B3~1.BIN\"\"",
"\"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" \"C:\\Users\\cuck\\AppData\\Local\\Temp\\5B71B3~1.BIN\"",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"C:\\Windows\\system32\\svchost.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat \"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" \"C:\\Users\\cuck\\AppData\\Local\\Temp\\5B71B3~1.BIN\""
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\api-intf",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\Microsoft\\C168F9CF-2C2B-9BAC-3E85-20FF528954A3\\Ini",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\Microsoft\\C168F9CF-2C2B-9BAC-3E85-20FF528954A3\\Client",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
],
"directory_enumerated": [
"C:\\Windows\\System32\\*.dll",
"C:\\Windows\\System32\\cmd.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"C:\\Python27\\Scripts\\cmd.*",
"C:\\Python27\\cmd",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\cmd.*",
"C:\\Windows\\System32\\cmd.COM",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\cmd",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users",
"C:\\Windows\\System32\\cmd.*",
"C:\\Python27\\cmd.*",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Python27\\Scripts\\cmd",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\Microsoft\\C168F9CF-2C2B-9BAC-3E85-20FF528954A3\\Install",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\api-intf"
]
}Dropped
[
{
"yara": [],
"sha1": "0f0cf92bb6f75a6f513ca6f0ee855a3ab4310c5b",
"name": "ddb3294c1caed983_79B3.bat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"type": "ASCII text, with CRLF line terminators",
"sha256": "ddb3294c1caed98367ffce9741d15c127cf19504da81b8c72136d5a6cf1ed690",
"urls": [],
"crc32": "9C228860",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1137\/files\/ddb3294c1caed983_79B3.bat",
"ssdeep": null,
"size": 110,
"sha512": "b08e979c799bcf507b6ea02bb0c9e7d12aa9594c2d5ddf920ebf65189b6910cc9b752721c09298e53b15da30c23edf8e6ef07d697ee1dc34293fea4c147b2362",
"pids": [
1616,
1576
],
"md5": "112bb9751d5c400baa59ba447f741051"
},
{
"yara": [],
"sha1": "a4662431d9c9df3df2eff18bdc5a447ece712e35",
"name": "5b71b3b94c28409d_audiores.exe",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca",
"urls": [],
"crc32": "031557AF",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1137\/files\/5b71b3b94c28409d_audiores.exe",
"ssdeep": null,
"size": 391680,
"sha512": "9b432eb1e20218ada551c20679acaa73547f28bd4f893f84229701b6e2a3fd381fdd9d52d410d392ab27a7a5710f649c56da0eca9120e653c8f90f9c70c00984",
"pids": [
1616
],
"md5": "8ede3ace8c115bd3a4fd26bd23c35422"
}
]Generic
[
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 2624,
"summary": {
"dll_loaded": [
"kernel32.dll"
],
"file_opened": [
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\\"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\"",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"command_line": [
"\"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" \"C:\\Users\\cuck\\AppData\\Local\\Temp\\5B71B3~1.BIN\""
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local"
]
},
"first_seen": 1563501224.3902,
"ppid": 1576
},
{
"process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
"process_name": "cmd.exe",
"pid": 1576,
"summary": {
"dll_loaded": [
"ADVAPI32.dll",
"kernel32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\\"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat\"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat"
],
"command_line": [
"cmd \/C \"\"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" \"C:\\Users\\cuck\\AppData\\Local\\Temp\\5B71B3~1.BIN\"\""
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
],
"directory_enumerated": [
"C:\\Windows\\System32\\cmd.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"C:\\Python27\\Scripts\\cmd.*",
"C:\\Python27\\cmd",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\cmd.*",
"C:\\Windows\\System32\\cmd.COM",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\cmd",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Windows\\System32\\cmd.*",
"C:\\Python27\\cmd.*",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Python27\\Scripts\\cmd",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B"
]
},
"first_seen": 1563501224.2028,
"ppid": 1616
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1563501193.2969,
"ppid": 376
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin",
"process_name": "5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin",
"pid": 2732,
"summary": {
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin"
],
"command_line": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"dll_loaded": [
"ntdll.dll",
"kernel32.dll",
"user32.dll"
]
},
"first_seen": 1563501193.7344,
"ppid": 1564
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin",
"process_name": "5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin",
"pid": 1616,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B"
],
"dll_loaded": [
"rpcrt4.dll",
"kernel32.dll",
"SETUPAPI.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin",
"C:\\Windows\\System32\\C_1252.NLS",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\Microsoft\\C168F9CF-2C2B-9BAC-3E85-20FF528954A3",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_USERS\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B",
"C:\\Users\\cuck\\AppData\\Local\\Temp"
],
"command_line": [
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat\" \"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" \"C:\\Users\\cuck\\AppData\\Local\\Temp\\5B71B3~1.BIN\"",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat \"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" \"C:\\Users\\cuck\\AppData\\Local\\Temp\\5B71B3~1.BIN\""
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\Microsoft\\C168F9CF-2C2B-9BAC-3E85-20FF528954A3\\Client",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\api-intf"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\System32\\*.dll"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\Microsoft\\C168F9CF-2C2B-9BAC-3E85-20FF528954A3\\Install",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\api-intf"
]
},
"first_seen": 1563501222.4371,
"ppid": 2732
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"process_name": "AudiORes.exe",
"pid": 2280,
"summary": {
"directory_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet"
],
"dll_loaded": [
"rpcrt4.dll",
"kernel32.dll"
],
"file_opened": [
"C:\\Windows\\System32\\C_1252.NLS",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_USERS\\(Default)",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe"
],
"command_line": [
"C:\\Windows\\system32\\svchost.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\AppData",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\api-intf",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet",
"C:\\Windows\\System32\\*.dll"
]
},
"first_seen": 1563501257.3746,
"ppid": 2868
},
{
"process_path": "C:\\Windows\\System32\\svchost.exe",
"process_name": "svchost.exe",
"pid": 2676,
"summary": {
"file_opened": [
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"file_read": [
"C:\\Windows\\System32\\ntdll.dll"
],
"mutex": [
"{A52878D9-C0C1-1F4A-F2A9-F4C346ED68A7}"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\Microsoft\\C168F9CF-2C2B-9BAC-3E85-20FF528954A3\\Ini",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName"
],
"dll_loaded": [
"C:\\Windows\\system32\\IMM32.DLL",
"kernel32.dll",
"gdi32.dll",
"KERNEL32.dll",
"OLEAUT32.dll",
"rpcrt4.dll",
"ADVAPI32.dll",
"ntdll.dll",
"PSAPI.DLL",
"SHLWAPI.dll",
"USER32.dll"
]
},
"first_seen": 1563501265.9059,
"ppid": 2280
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"process_name": "AudiORes.exe",
"pid": 2868,
"summary": {
"file_opened": [
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe"
],
"command_line": [
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"dll_loaded": [
"ntdll.dll",
"kernel32.dll",
"user32.dll"
]
},
"first_seen": 1563501224.5621,
"ppid": 2624
},
{
"process_path": "C:\\Windows\\explorer.exe",
"process_name": "explorer.exe",
"pid": 1788,
"summary": {
"file_opened": [
"C:\\"
],
"file_exists": [
"C:\\cuckoo_1788.ini"
],
"file_failed": [
"C:\\cuckoo_1788.ini"
]
},
"first_seen": 1563501269.3278,
"ppid": 1740
}
]Signatures
[
{
"markcount": 16,
"families": [],
"description": "Command line console output was observed",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1563501224.2968,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 195
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "if ",
"console_handle": "0x00000007"
},
"time": 1563501224.2968,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 197
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "not ",
"console_handle": "0x00000007"
},
"time": 1563501224.2968,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 199
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "exist \"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" ",
"console_handle": "0x00000007"
},
"time": 1563501224.2968,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 201
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "goto",
"console_handle": "0x00000007"
},
"time": 1563501224.2968,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 203
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1563501224.2968,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 226
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "cmd",
"console_handle": "0x00000007"
},
"time": 1563501224.2968,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 228
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " \/C \"\"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" \"C:\\Users\\cuck\\AppData\\Local\\Temp\\5B71B3~1.BIN\"\" ",
"console_handle": "0x00000007"
},
"time": 1563501224.2968,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 230
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1563501257.3118,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 290
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "if ",
"console_handle": "0x00000007"
},
"time": 1563501257.3118,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 292
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "errorlevel 1 ",
"console_handle": "0x00000007"
},
"time": 1563501257.3118,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 294
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "goto",
"console_handle": "0x00000007"
},
"time": 1563501257.3118,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 296
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "C:\\Users\\cuck\\AppData\\Local\\Temp>",
"console_handle": "0x00000007"
},
"time": 1563501257.3118,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 332
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "del",
"console_handle": "0x00000007"
},
"time": 1563501257.3118,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 334
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": " \"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat\" ",
"console_handle": "0x00000007"
},
"time": 1563501257.3118,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 336
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "The batch file cannot be found.\r\n",
"console_handle": "0x0000000b"
},
"time": 1563501257.3278,
"tid": 2248,
"flags": {}
},
"pid": 1576,
"type": "call",
"cid": 358
}
],
"references": [],
"name": "console_output"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1563501224.0001,
"tid": 816,
"flags": {}
},
"pid": 1616,
"type": "call",
"cid": 104
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 0,
"families": [],
"description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
"severity": 2,
"marks": [],
"references": [],
"name": "dumped_buffer"
},
{
"markcount": 18,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077830000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 329
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000000007782b000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 330
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077830000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 334
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000000007782b000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 335
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077830000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 339
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000000007782b000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 340
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff2ea000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 344
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff2e5000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 345
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefde1a000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 372
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefde2c000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 374
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefde1a000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 376
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefde2c000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 378
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feffb6f000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 380
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feffbb3000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 382
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077932000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 384
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000000007793d000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 386
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefdee1000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 388
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefdef1000"
},
"time": 1563501269.2499,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 390
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 0,
"families": [],
"description": "Checks whether any human activity is being performed by constantly checking whether the foreground window changed",
"severity": 2,
"marks": [],
"references": [
"https:\/\/www.virusbtn.com\/virusbulletin\/archive\/2015\/09\/vb201509-custom-packer.dkb"
],
"name": "antisandbox_foregroundwindows"
},
{
"markcount": 1,
"families": [],
"description": "Creates a suspicious process",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "C:\\Windows\\system32\\svchost.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "suspicious_process"
},
{
"markcount": 2,
"families": [],
"description": "Drops a binary and executes it",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "dropper"
},
{
"markcount": 1,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 1,
"families": [],
"description": "A process created a hidden window",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "ShellExecuteExW",
"return_value": 1,
"arguments": {
"parameters": "\"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" \"C:\\Users\\cuck\\AppData\\Local\\Temp\\5B71B3~1.BIN\"",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"filepath_r": "C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat",
"show_type": 0
},
"time": 1563501224.1251,
"tid": 816,
"flags": {}
},
"pid": 1616,
"type": "call",
"cid": 239
}
],
"references": [],
"name": "stealth_window"
},
{
"markcount": 2,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.9778503427542,
"section": {
"size_of_data": "0x0003b200",
"virtual_address": "0x00028000",
"entropy": 7.9778503427542,
"name": ".reloc",
"virtual_size": "0x0003b0c8"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.61992136304063,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 685,
"families": [],
"description": "Potentially malicious URLs were found in the process memory dump",
"severity": 2,
"marks": [
{
"category": "url",
"ioc": "http:\/\/www.expedia.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "https:\/\/download-installer.cdn.mozilla.net\/pub\/firefox\/releases\/60.0.2\/win32\/en-US\/Firefox%20Installer.exe",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/uk.ask.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.priceminister.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/AAyDx8u.img?h=75",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/AAyDpQn.img?h=75",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/AAyDG2i.img?h=75",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.iask.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/AAyGCD1.img?h=75",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.merlin.com.pl\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.cnet.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "https:\/\/c.s-microsoft.com\/mscc\/statics\/mscc-0.4.0.min.css",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "https:\/\/report-uri.cloudflare.com\/cdn-cgi\/beacon\/expect-ct",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/AA70XHo.img?h=194",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/BBwKMyE.img?h=75",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/AAwJdbf.img?h=333",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/BBAIVZe.img?h=16",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.nifty.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/ns.adobe.com\/exif\/1.0\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.etmall.com.tw\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.goo.ne.jp\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/fr.wikipedia.org\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "https:\/\/mozilla.org\/set_hsts.gif",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "https:\/\/www.mozilla.org\/media\/img\/logos\/social\/social-icon-sprite.bf2ae0cd0f01.svg",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/busca.estadao.com.br\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.hanafos.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/AAyGsMl.img?h=194",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "https:\/\/www.mozilla.org\/media\/css\/BUNDLES\/pebbles.03d45fb8fff9.css",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/BBI5uP7.img?h=75",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.chol.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/purl.org\/rss\/1.0\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/AA5P5kF.img?h=16",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/AAyI7qy.img?h=333",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/amazon.fr\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/BB5SfLo.img?h=16",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.amazon.co.jp\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.mtv.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/busqueda.aol.com.mx\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.live.com\/results.aspx?FORM=SOLTDF",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/msdn.microsoft.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/msdn.microsoft.com\/workshop\/security\/privacy\/overview\/privacyimportxml.asp)",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/AAmUOVK.img?h=16",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/purl.org\/rss\/1.0\/modules\/syndication\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/www.sify.com\/favicon.ico",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/yellowpages.superpages.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/suche.freenet.de\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "https:\/\/support.microsoft.com\/app\/content\/bundles\/jslibraries?v=DMy4NO0p6y0nE7ZotmAwCZXevAPDwyAVit9cxFmKMyo1",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/static-global-s-msn-com.akamaized.net\/img-resizer\/tenant\/amp\/entityid\/AAmS5r5.img?h=16",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/search.aol.com\/",
"type": "ioc",
"description": null
},
{
"category": "url",
"ioc": "http:\/\/browse.guardian.co.uk\/",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "memdump_urls"
},
{
"markcount": 2,
"families": [],
"description": "Terminates another process",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 487,
"nt_status": -1073741800,
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2584,
"process_handle": "0x00000098"
},
"time": 1563501221.3124,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 57
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtTerminateProcess",
"return_value": 0,
"arguments": {
"status_code": "0x00000000",
"process_identifier": 2584,
"process_handle": "0x00000098"
},
"time": 1563501221.3124,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 58
}
],
"references": [],
"name": "terminates_remote_process"
},
{
"markcount": 1,
"families": [],
"description": "Uses Windows utilities for basic Windows functionality",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat \"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" \"C:\\Users\\cuck\\AppData\\Local\\Temp\\5B71B3~1.BIN\"",
"type": "ioc",
"description": null
}
],
"references": [
"http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
],
"name": "uses_windows_utilities"
},
{
"markcount": 7,
"families": [],
"description": "Allocates execute permission to another process indicative of possible code injection",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 1813,
"nt_status": -1073741686,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2584,
"region_size": 233472,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000098",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1563501221.3124,
"tid": 2660,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2732,
"type": "call",
"cid": 53
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1616,
"region_size": 233472,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x0000009c",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1563501221.3284,
"tid": 2660,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2732,
"type": "call",
"cid": 63
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2280,
"region_size": 233472,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000098",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1563501255.6561,
"tid": 2164,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2868,
"type": "call",
"cid": 56
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000104",
"allocation_type": 12288,
"base_address": "0x002e0000"
},
"time": 1563501266.6246,
"tid": 2600,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2280,
"type": "call",
"cid": 280
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1788,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0x00000000000000d0",
"base_address": "0x00000000779f6000"
},
"time": 1563501269.4529,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 400
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1788,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000000000000d0",
"allocation_type": 12288,
"base_address": "0x0000000002910000"
},
"time": 1563501314.9219,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2676,
"type": "call",
"cid": 426
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1788,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0x00000000000000d0",
"base_address": "0x00000000779f6000"
},
"time": 1563501314.9219,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 432
}
],
"references": [],
"name": "allocates_execute_remote_process"
},
{
"markcount": 1,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\api-intf",
"reg_value": "C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe"
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 2,
"families": [],
"description": "Creates a thread using CreateRemoteThread in a non-child process indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2676 created a remote thread in non-child process 1788",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateRemoteThread",
"return_value": 212,
"arguments": {
"thread_identifier": 2140,
"process_identifier": 1788,
"function_address": "0x00000000779f6930",
"flags": 4,
"process_handle": "0x00000000000000d0",
"parameter": "0x0000000000000000",
"stack_size": 0
},
"time": 1563501269.4529,
"tid": 2456,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 398
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_createremotethread"
},
{
"markcount": 9,
"families": [],
"description": "Manipulates memory of a non-child process indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2732 manipulating memory of non-child process 2584",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 1813,
"nt_status": -1073741686,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2584,
"region_size": 233472,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000098",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1563501221.3124,
"tid": 2660,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2732,
"type": "call",
"cid": 53
},
{
"category": "Process injection",
"ioc": "Process 2676 manipulating memory of non-child process 1788",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1788,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0x00000000000000d0",
"base_address": "0x00000000779f6000"
},
"time": 1563501269.4529,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 400
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1788,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 32,
"process_handle": "0x00000000000000d0",
"base_address": "0x00000000779f6000"
},
"time": 1563501269.4529,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READ"
}
},
"pid": 2676,
"type": "call",
"cid": 402
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "601db896fbd3218d2dd0ad604b4194032b210bb2",
"api": "NtMapViewOfSection",
"return_value": 0,
"arguments": {
"section_handle": "0x000000000000008c",
"process_identifier": 1788,
"commit_size": 0,
"win32_protect": 64,
"buffer": "",
"process_handle": "0x00000000000000d0",
"allocation_type": 0,
"section_offset": 0,
"view_size": 565248,
"base_address": "0x0000000006640000"
},
"time": 1563501314.1409,
"tid": 2456,
"flags": {
"win32_protect": "PAGE_EXECUTE_READWRITE",
"allocation_type": ""
}
},
"pid": 2676,
"type": "call",
"cid": 411
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1788,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000000000000d0",
"allocation_type": 12288,
"base_address": "0x0000000002910000"
},
"time": 1563501314.9219,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2676,
"type": "call",
"cid": 426
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1788,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0x00000000000000d0",
"base_address": "0x00000000779f6000"
},
"time": 1563501314.9219,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 432
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1788,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 32,
"process_handle": "0x00000000000000d0",
"base_address": "0x00000000779f6000"
},
"time": 1563501314.9219,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READ"
}
},
"pid": 2676,
"type": "call",
"cid": 434
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_modifies_memory"
},
{
"markcount": 10,
"families": [],
"description": "Potential code injection by writing to the memory of another process",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1616,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000iPa\u00ee-1\u000f\u00bd-1\u000f\u00bd-1\u000f\u00bd\n\u00f7r\u00bd,1\u000f\u00bd\n\u00f7b\u00bd\/1\u000f\u00bd$I\u009c\u00bd#1\u000f\u00bd-1\u000e\u00bd\u00b81\u000f\u00bd\u00ee>R\u00bd.1\u000f\u00bd\u00ee>P\u00bd,1\u000f\u00bd\u00ee>\u0000\u00bd.1\u000f\u00bd\n\u00f7~\u00bd41\u000f\u00bd\n\u00f7s\u00bd,1\u000f\u00bd\n\u00f7w\u00bd,1\u000f\u00bdRich-1\u000f\u00bd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0005\u0000\u0005\u0087\u00faU\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0003\u0001\u000b\u0001\b\u0000\u0000B\u0000\u0000\u0000\u001c\u0000\u0000\u0000\u0000\u0000\u0000v\u0010\u0000\u0000\u0000\u0010\u0000\u0000\u0000`\u0000\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0090\u0003\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004c\u0000\u0000\u00a0\u0000\u0000\u0000\u0000\u0090\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0000\u0000\u00e0\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000t@\u0000\u0000\u0000\u0010\u0000\u0000\u0000B\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rdata\u0000\u0000\u009a\r\u0000\u0000\u0000`\u0000\u0000\u0000\u000e\u0000\u0000\u0000F\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.data\u0000\u0000\u0000<\u0005\u0000\u0000\u0000p\u0000\u0000\u0000\u0004\u0000\u0000\u0000T\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.bss\u0000\u0000\u0000\u0000\u009a\u0005\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u0006\u0000\u0000\u0000X\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.rsrc\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0090\u0000\u0000\u0000\u00fc\u0002\u0000\u0000^\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000J1\u0000\u0000\u0000\u0092\u0000\u0000\u0000^\u0002\u0000\u00a7\u00ceuO\u0005\u0000\u0001\u0000J1\u0000\u0000\u0000\u00f4\u0001\u0000\u0000\u0000\u0003\u0000\u00b4\u00aa\u00f8\u0090\r\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x0000009c",
"base_address": "0x00400000"
},
"time": 1563501221.3284,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 64
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1616,
"buffer": ".m\u0000\u0000 m\u0000\u0000\u000em\u0000\u0000\u00fel\u0000\u0000\u00e2i\u0000\u0000\u00d2i\u0000\u0000\u00bei\u0000\u0000\u00a8i\u0000\u0000\u0096i\u0000\u0000|i\u0000\u0000ni\u0000\u0000Zi\u0000\u0000Fi\u0000\u00004i\u0000\u0000&i\u0000\u0000\u0016i\u0000\u0000\u0000\u0000\u0000\u0000Pg\u0000\u0000dg\u0000\u0000pg\u0000\u0000|g\u0000\u0000\u008ag\u0000\u0000\u009cg\u0000\u0000\u00a8g\u0000\u0000\u00bag\u0000\u0000\u00c8g\u0000\u0000\u00d6g\u0000\u0000\u00e2g\u0000\u0000\u00f0g\u0000\u0000\u00feg\u0000\u0000\fh\u0000\u0000 h\u0000\u00008h\u0000\u0000Dh\u0000\u0000Ph\u0000\u0000\\h\u0000\u0000rh\u0000\u0000zh\u0000\u0000\u0086h\u0000\u0000\u0092h\u0000\u0000\u00a6h\u0000\u0000\u00b6h\u0000\u00008l\u0000\u0000(l\u0000\u0000\u001cl\u0000\u0000\u0010l\u0000\u0000\u00fek\u0000\u0000>g\u0000\u0000.g\u0000\u0000\"g\u0000\u0000\u0016g\u0000\u0000\u0006g\u0000\u0000\u00f4f\u0000\u0000\u00e4f\u0000\u0000\u00d2f\u0000\u0000\u00c4f\u0000\u0000\u00b0f\u0000\u0000\u00a2f\u0000\u0000\u0094f\u0000\u0000~f\u0000\u0000\u00f0k\u0000\u0000Tl\u0000\u0000df\u0000\u0000\u00f2l\u0000\u0000\u00d6l\u0000\u0000\u00cal\u0000\u0000\u00bcl\u0000\u0000\u00acl\u0000\u0000\u00a0l\u0000\u0000\u008al\u0000\u0000tl\u0000\u0000hl\u0000\u0000\u00dck\u0000\u0000\u00c8k\u0000\u0000\u00b2k\u0000\u0000\u00a4k\u0000\u0000\u0090k\u0000\u0000\u0080k\u0000\u0000Lk\u0000\u0000bk\u0000\u0000pk\u0000\u0000\u0000\u0000\u0000\u0000fm\u0000\u0000\\\u0000\u0000\u0080\u0006j\u0000\u0000\u0000\u0000\u0000\u0000\u00f0e\u0000\u0000Nf\u0000\u0000Bf\u0000\u0000,f\u0000\u0000 f\u0000\u0000\u0016f\u0000\u0000\u0006f\u0000\u0000\u0000\u0000\u0000\u0000\u00d4h\u0000\u0000\u00f0h\u0000\u0000\u00fch\u0000\u0000\u00e4h\u0000\u0000\u0000\u0000\u0000\u0000\u00f0j\u0000\u0000\u00c8j\u0000\u0000\u00a6j\u0000\u0000\u0094j\u0000\u0000\u008aj\u0000\u0000tj\u0000\u0000Rj\u0000\u0000vm\u0000\u0000\fk\u0000\u0000\u001ck\u0000\u00002k\u0000\u0000\u00bej\u0000\u0000\u00d4j\u0000\u0000\u00cce\u0000\u0000\\j\u0000\u0000\u00b4e\u0000\u0000\u0082m\u0000\u0000\u0000\u0000\u0000\u0000$j\u0000\u00006j\u0000\u0000\u0000\u0000\u0000\u0000Unknown Device\u0000\u0000RBC Device\u0000\u0000Enclosure Device\u0000\u0000\u0000\u0000Array Device\u0000\u0000\u0000\u0000ASCIT8\u0000\u0000Comm. Device\u0000\u0000\u0000\u0000Media Changer\u0000\u0000\u0000Optical Disk\u0000\u0000\u0000\u0000Scanner Device\u0000\u0000CDROM Device\u0000\u0000\u0000\u0000WORM Device\u0000Processor Device\u0000\u0000\u0000\u0000Printer Device\u0000\u0000Tape Device\u0000Direct Access Device\u0000\u0000\u0000\u0000RAID\u0000\u0000\u0000\u0000USB\u0000FIBRE\u0000\u0000\u0000SSA\u0000IEEE 1394\u0000\u0000\u0000ATA\u0000ATAPI\u0000\u0000\u0000SCSI\u0000\u0000\u0000\u0000UNKNOWN\u0000 \u0000\t\u0000\"\u0000\u0000\u0000Sep 17 2015\u0000.bss\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ffI?@\u0000M?@\u0000`e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e6e\u0000\u0000\u008ca\u0000\u0000,e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Xf\u0000\u0000Xa\u0000\u0000\u0018d\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c6h\u0000\u0000D`\u0000\u0000Le\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ni\u0000\u0000xa\u0000\u0000\u00d4c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f8i\u0000\u0000\u0000`\u0000\u0000\u001ce\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0018j\u0000\u0000Ha\u0000\u0000\u00a8e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Hj\u0000\u0000\u00d4a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.m\u0000\u0000 m\u0000\u0000\u000em\u0000\u0000\u00fel\u0000\u0000\u00e2i\u0000\u0000\u00d2i\u0000\u0000\u00bei\u0000\u0000\u00a8i\u0000\u0000\u0096i\u0000\u0000|i\u0000\u0000ni\u0000\u0000Zi\u0000\u0000Fi\u0000\u00004i\u0000\u0000&i\u0000\u0000\u0016i\u0000\u0000\u0000\u0000\u0000\u0000Pg\u0000\u0000dg\u0000\u0000pg\u0000\u0000|g\u0000\u0000\u008ag\u0000\u0000\u009cg\u0000\u0000\u00a8g\u0000\u0000\u00bag\u0000\u0000\u00c8g\u0000\u0000\u00d6g\u0000\u0000\u00e2g\u0000\u0000\u00f0g\u0000\u0000\u00feg\u0000\u0000\fh\u0000\u0000 h\u0000\u00008h\u0000\u0000Dh\u0000\u0000Ph\u0000\u0000\\h\u0000\u0000rh\u0000\u0000zh\u0000\u0000\u0086h\u0000\u0000\u0092h\u0000\u0000\u00a6h\u0000\u0000\u00b6h\u0000\u00008l\u0000\u0000(l\u0000\u0000\u001cl\u0000\u0000\u0010l\u0000\u0000\u00fek\u0000\u0000>g\u0000\u0000.g\u0000\u0000\"g\u0000\u0000\u0016g\u0000\u0000\u0006g\u0000\u0000\u00f4f\u0000\u0000\u00e4f\u0000\u0000\u00d2f\u0000\u0000\u00c4f\u0000\u0000\u00b0f\u0000\u0000\u00a2f\u0000\u0000\u0094f\u0000\u0000~f\u0000\u0000\u00f0k\u0000\u0000Tl\u0000\u0000df\u0000\u0000\u00f2l\u0000\u0000\u00d6l\u0000\u0000\u00cal\u0000\u0000\u00bcl\u0000\u0000\u00acl\u0000\u0000\u00a0l\u0000\u0000\u008al\u0000\u0000tl\u0000\u0000hl\u0000\u0000\u00dck\u0000\u0000\u00c8k\u0000\u0000\u00b2k\u0000\u0000\u00a4k\u0000\u0000\u0090k\u0000\u0000\u0080k\u0000\u0000Lk\u0000\u0000bk\u0000\u0000pk\u0000\u0000\u0000\u0000\u0000\u0000fm\u0000\u0000\\\u0000\u0000\u0080\u0006j\u0000\u0000\u0000\u0000\u0000\u0000\u00f0e\u0000\u0000Nf\u0000\u0000Bf\u0000\u0000,f\u0000\u0000 f\u0000\u0000\u0016f\u0000\u0000\u0006f\u0000\u0000\u0000\u0000\u0000\u0000\u00d4h\u0000\u0000\u00f0h\u0000\u0000\u00fch\u0000\u0000\u00e4h\u0000\u0000\u0000\u0000\u0000\u0000\u00f0j\u0000\u0000\u00c8j\u0000\u0000\u00a6j\u0000\u0000\u0094j\u0000\u0000\u008aj\u0000\u0000tj\u0000\u0000Rj\u0000\u0000vm\u0000\u0000\fk\u0000\u0000\u001ck\u0000\u00002k\u0000\u0000\u00bej\u0000\u0000\u00d4j\u0000\u0000\u00cce\u0000\u0000\\j\u0000\u0000\u00b4e\u0000\u0000\u0082m\u0000\u0000\u0000\u0000\u0000\u0000$j\u0000\u00006j\u0000\u0000\u0000\u0000\u0000\u0000{\u0002RtlFreeUnicodeString\u0000\u0000\u0098\u0003RtlUpcaseUnicodeString\u0000\u0000ntdll.dll\u0000F\u0000PathFindExtensionA\u0000\u0000:\u0000PathCombineW\u0000\u0000\u000f\u0001StrChrA\u0000P\u0001StrTrimW\u0000\u0000G\u0000PathFindExtensionW\u0000\u00006\u0001StrRChrA\u0000\u0000\u0014\u0001StrChrW\u0000SHLWAPI.dll\u0000y\u0002GetSystemTimeAsFileTime\u0000\u00f9\u0004WaitForSingleObject\u0000\u00ce\u0002HeapDestroy\u0000\u00cd\u0002HeapCreate\u0000\u0000\u0015\u0002GetModuleHandleA\u0000\u0000\u0019\u0001ExitProcess\u0000\u0087\u0001GetCommandLineW\u0000C\u0001FindNextFileA\u00002\u0001FindFirstFileA\u0000\u0000\u0002\u0002GetLastError\u0000\u0000E\u0005lstrcmpiW\u0000\u00cb\u0002HeapAlloc\u0000\u0093\u0002GetTickCount\u0000\u0000E\u0002GetProcAddress\u0000\u0000\u00ac\u0004SetWaitableTimer\u0000\u0000?\u0005lstrcatW\u0000\u0000.\u0001FindClose\u0000\u00f2\u0001GetFileTime\u0000`\u0000CompareFileTime\u0000%\u0005WriteFile\u0000\u00a4\u0000CreateProcessA\u0000\u0000\u0088\u0000CreateFileA\u0000\u000f\u0004ResetEvent\u0000\u0000\u00cf\u0002HeapFree\u0000\u0000R\u0000CloseHandle\u0000\u00d6\u0000DeleteFileW\u0000\u008f\u0000CreateFileW\u0000\u0081\u0000CreateDirectoryW\u0000\u0000\u00bf\u0000CreateWaitableTimerA\u0000\u0000>\u0005lstrcatA\u0000\u0000H\u0005lstrcpyW\u0000\u0000Y\u0004SetEvent\u0000\u0000a\u0004SetFileAttributesW\u0000\u0000\u00b2\u0004Sleep\u0000N\u0005lstrlenW\u0000\u0000G\u0005lstrcpyA\u0000\u0000W\u0001FlushFileBuffers\u0000\u0000S\u0004SetEndOfFile\u0000\u0000\u0082\u0000CreateEventA\u0000\u0000KERNEL32.dll\u0000\u0000\u001f\u0001GetCursorInfo\u00003\u0003wsprintfW\u00002\u0003wsprintfA\u0000\u00f7\u0000FindWindowA\u0000USER32.dll\u0000\u00007\u0002RegCreateKeyA\u0000_\u0002RegOpenKeyA\u0000}\u0002RegSetValueExA\u0000\u0000\u00f7\u0001OpenProcessToken\u0000\u0000m\u0002RegQueryValueExA\u0000\u00000\u0002RegCloseKey\u0000X\u0001GetSidSubAuthorityCount\u0000~\u0002RegSetValueExW\u0000\u0000W\u0001GetSidSubAuthority\u0000\u0000n\u0002RegQueryValueExW\u0000\u0000`\u0002RegOpenKeyExA\u0000Z\u0001GetTokenInformation\u0000ADVAPI32.dll\u0000\u0000!\u0001ShellExecuteExW\u0000SHELL32.dll\u0000l\u0000CoUninitialize\u0000\u0000?\u0000CoInitializeEx\u0000\u0000ole32.dll\u0000F\u0005memcpy\u0000\u0000\u0091\u0001NtUnmapViewOfSection\u0000\u0000\u00ea\u0000NtMapViewOfSection\u0000\u0000H\u0005memset\u0000\u0000\u00aa\u0000NtCreateSection\u0000\u000b\u0003RtlNtStatusToDosError\u0000\u00e0\u0003ZwClose\u0000C\u0005mbstowcs\u0000\u0000i\u0004ZwQueryInformationProcess\u00000\u0001NtQuerySystemInformation\u0000\u0000H\u0004ZwOpenProcess\u0000I\u0004ZwOpenProcessToken\u0000\u0000k\u0004ZwQueryInformationToken\u0000\u00a9\u0000CreateRemoteThread\u0000\u0000\u0080\u0003OpenProcess\u0000\u00ba\u0004SuspendThread\u0000\u0013\u0004ResumeThread\u0000\u0000\u00f0\u0004VirtualProtectEx\u0000\u0000\u00a2\u0002GetVersion\u0000\u0000\u00c1\u0001GetCurrentProcessId\u0000\u000f\u0002GetLongPathNameW\u0000\u0000\u0082\u0002GetTempFileNameA\u0000\u0000\u00f0\u0001GetFileSize\u0000f\u0004SetFilePointer\u0000\u0000M\u0005lstrlenA\u0000\u0000\u00c0\u0003ReadFile\u0000\u0000\u0084\u0002GetTempPathA\u0000\u0000\u001d\u0001ExpandEnvironmentStringsW\u0000|\u0000CreateDirectoryA\u0000\u0000J\u0005lstrcpynA\u0000\u0013\u0002GetModuleFileNameA\u0000\u0000\u0014\u0002GetModuleFileNameW\u0000\u0000D\u0005lstrcmpiA\u0000\u00e9\u0004VirtualAlloc\u0000\u0000\u00ec\u0004VirtualFree\u0000H\u0003LocalFree\u0000\u001c\u0001ExpandEnvironmentStringsA\u0000A\u0005lstrcmpA\u0000\u0000N\u0002RegEnumKeyExA\u0000H\u0002RegDeleteValueW\u0000d\u0002RegOpenKeyW\u0000q\u0000ConvertStringSecurityDescriptorToSecurityDescriptorA\u0000\u0000\"\u0001ShellExecuteW\u0000\u0096\u0003RtlUnwind\u00005\u0001NtQueryVirtualMemory\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x0000009c",
"base_address": "0x00406000"
},
"time": 1563501221.3284,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 66
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1616,
"buffer": "\u0003\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u000b\u0000\u0000\u0000\r\u0000\u0000\u0000kF\u00bf\u0088r4\u00a9\u00ba\u00e8\u0006\u00f3\u00bc\u009c\u0080\u0087\u00c4\u0004z]\u00f5\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000H\u008b\u00c4SUVWATAUAVAWH\u0083\u00ecHH\u008bQ0H\u008b\u00f9H\u0085\u00d2H\u0089P\u0010\u000f\u0084\u008d\u0002\u0000\u0000Hcr\u00bc\u0003?\u00ca\u00d4\u009a\u0081V\u00aeW\u0085\u001d{2\u00e7\u00b6j\u00af\u00d3\u00d7\u00bc\u0095%\u00c5\u000fL\u00c8B\u00ce\u00b3[#\u00eb\u00e2-v\u00a5\u00baq\u00c4\u0011\u00b3pO\u00c9\u00c6\u0017j\u00dfw?\f\u0015s\u008b\u00d4\u00f26\u00da\u00ae+Y\u00f0\u0007\/\u00ce\u0083@`\u0096\u001fx\u009a^\u00127\u00ce<\u00e4\u0097\u009a\u0087\u00c6\u00fc\u0016;\u0096Z\u00ad\u00b3{\u0095\u00e4\u00c4\u00a2-b6e\u00a8\u00ae\/\u00d9\u00f7\u0016\u00a0\u0091\u00b8\u00cdC\u00f6\u0082\u00dc\u00e4\u00c5\u00f5\u00bel\u00f9\u008f\r\u00b9!\u0018$\u001e\u0002\u001b\u00b2\u00dcT\u00c9\u00f9E\u0088W\u0003\u00cdF\u0019\u00e1)\u00ac+\u00f1\u0094\u009eM\u00c9\u00a4\u008e\u001fg\u00f1j\u00b9\u0006\f\u0013\u00ea\u00b7x\u00e3\u00ebq\u0002\u00f2XJ\u00cf\u00b9B\u00ba\u0089q\u00d6\u00d24G\u00e4z\u0010\u00c5\u0010\u00c8E\u0001\u0096!\u0090h\u00ff\u0001\u00b3>\u00bf\u00cf\u00c9\/,\u00e4\u0004dv\u0003\u00c2\u00acb\u0014\u0016\u00c6U\u00ba\u00d8\u0082\u0095\t\u008dj: Z\u0013\u00eb\u0010\u00bc\u0004\u00fe\u0096\u00c4p\u00ea\u00ef\u00d8;%\u008b\u0089\u00f9\u008d\u008d}\u00ca\u00f2\u00af\u00ed\u00c4f\t\u00b9\u0000\u00e0\u00fa|y\u00db\b\u00ce\u00ffi&T\u00a1\u00dfX\u00db(V\b9h\u00ffJ\u008aW\u00dc\u00f6\u001eM&\u00a1\u00e2\u00f5\u00e0j]\u00f5\u00da^O\u00a3\u008a\u0098\u009f\u00f58(\u0097pqqX:\u00cba\u00e3\t\u00bc\u00e5\u00d1Y\u00e4G\u00cd\u00ddC\u000e\u0098\u001c\u00f8\u00bf\u001eN\u00c9{\u00c4\u00ba\u00df\u0090\\w\u0083\u00ef\u0090\u00be\u00ab\u00f8a\u00de\u008b\u00f6\u00af\u009a\u0099E\u00aa\u00ca\u00c3\u0084\u001d\u0001\u00fb\u00f0\u009f\u00b4o?\u0087i\u00f1\u0083K`\u00f2[+\u0002\u00d8\u0096=\u00a4\u00d7\u00a6\u00b5^P\u00bf\u00e4\u0000Y\u00f8\u00169}+\u00b6\u00dd\u0019\u00f8M\u00cbr P\u0092\u0086\u00e6\u0018,\u00bc\u001fm\n\u00b6{gx\u0014OW\u00ff\u00f7:\u00c6\u00c7%\u00b9\u0094\u00d6@\u00c6a\u00c0.\u001fg\u00d9^\u00d3-g\u0011\"MA\u00c3\u00acW3A\u0018\u0092\u00e1\u0083\r(\u00f0A\u00db\u0098\u00e0c\n\u00c8\u00f2\u0010\u00cd\u0001<\u00cb+k\u0006\u00cd\u0090Xq-\u00ae\u00ec\u00a9\u00da\u00eb-r\u00b0\u00a5\u00e6c\u00d64\u00d2dr\u00c5\u00eb0\u0003\u0011\u00aa1\u00d7\u00e7\u00d3\u0019\u00c1f\u00fbbG\u001aM\u00ba\u00b0K\u00bca\u0002%\u00cfp\u00f7\u00b7\u00e8G\u00bf.\u0016\u0099\u0080\u00e2]\u00d6P\u0080\u00babKT\u00a6\u0002\u00cd\u0018(\u00d8>\u00dd\u00c9O_\u00d9#>\u0018\u00fa5+\u0016\u00a2\u00ab\u0093\u00eej\u00a6\u00dc\u00bc\bP|\u00b3\u00b3r\u0017\u00d1\u00b1\u00e8\u00e1\n\u00f0\tz`\u00bfrk\u00c7\/\u0004^\u000b\u0017x!x\u009e\u00b1\/-|\u00d7\u009a&\u00dc\u00ee\u00ee\u0096\u00ce|\u0014\u00c4\u00a7\u0095\u0007\u00d4PV\u00be \u00a2Q\u00da\u000e\u0018\u008ff\u00f7\u00df\u00ceo\u00a1\u00b8\u00a9\u00c7\u00a2\u0018\u0090\u00b6\u001c\u00cc\u0012z\u00ea\u0019\u00fah\u00a0\u00cejy\u0002\u001f:k\u00cac\u00c3\u00fd\u00a1\u00a0\u0080\u00bb\u00f8\u00f4q\u001e\u00ffAU~=q\u00db\u00a6\u00cahF9\u00aa\u00a4\u0084 \u00de6\u0083d\u00f6\f\u00bezM\u00042=\u00af\u00f1\u00db\u001d\u00acQ\u00ee_*[x\u0087\u0085B-XL\fV\u00d99\u00dc6\u00ef\u00f7$\u00eaS\u008ddf\u009aO\u0002\u008f1H\u00a5\u008aP*\u0095tBI\u0089%\u0084(-v\u009eJ\u00c9!\u008c%}}>L\u00a94\u00ac\u0012\u00fdV\u00bep)c\u00ac\u0094\u00fdm\u00be~)\u00bd\u00acd\u00fe\u00f5\u00bd\u0096-\u00a5\u00a8\u00b4\u00fd\u00f5\u00be\u00165\u00e5\u00a5t\u00f1\u00b5\u00a6\u0016\u0000\u00e5\u0096t\u0090\u00b5b\u0016\u00f8\u00e5\u00f0w,\u00b4*\u0017\u0098\u00e6Xq\f\u00b2J\u001a\u0018\u00fe\u0018i\u00cc\u00be\n)\u0018\u00cb\u0018\u00ad\u00cc\u00df\nG\u0018\u008f\u00184\u00e5F\u0018S\u0013D8\u00c3\u0014`\u00c5\u00cc\u001d!\u00a7\/M3\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x0000009c",
"base_address": "0x00408000"
},
"time": 1563501221.3284,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 68
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1616,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x0000009c",
"base_address": "0x7efde008"
},
"time": 1563501221.3444,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 70
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2280,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000iPa\u00ee-1\u000f\u00bd-1\u000f\u00bd-1\u000f\u00bd\n\u00f7r\u00bd,1\u000f\u00bd\n\u00f7b\u00bd\/1\u000f\u00bd$I\u009c\u00bd#1\u000f\u00bd-1\u000e\u00bd\u00b81\u000f\u00bd\u00ee>R\u00bd.1\u000f\u00bd\u00ee>P\u00bd,1\u000f\u00bd\u00ee>\u0000\u00bd.1\u000f\u00bd\n\u00f7~\u00bd41\u000f\u00bd\n\u00f7s\u00bd,1\u000f\u00bd\n\u00f7w\u00bd,1\u000f\u00bdRich-1\u000f\u00bd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0005\u0000\u0005\u0087\u00faU\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0003\u0001\u000b\u0001\b\u0000\u0000B\u0000\u0000\u0000\u001c\u0000\u0000\u0000\u0000\u0000\u0000v\u0010\u0000\u0000\u0000\u0010\u0000\u0000\u0000`\u0000\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0090\u0003\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004c\u0000\u0000\u00a0\u0000\u0000\u0000\u0000\u0090\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0000\u0000\u00e0\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000t@\u0000\u0000\u0000\u0010\u0000\u0000\u0000B\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rdata\u0000\u0000\u009a\r\u0000\u0000\u0000`\u0000\u0000\u0000\u000e\u0000\u0000\u0000F\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.data\u0000\u0000\u0000<\u0005\u0000\u0000\u0000p\u0000\u0000\u0000\u0004\u0000\u0000\u0000T\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.bss\u0000\u0000\u0000\u0000\u009a\u0005\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u0006\u0000\u0000\u0000X\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.rsrc\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0090\u0000\u0000\u0000\u00fc\u0002\u0000\u0000^\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000J1\u0000\u0000\u0000\u0092\u0000\u0000\u0000^\u0002\u0000\u00a7\u00ceuO\u0005\u0000\u0001\u0000J1\u0000\u0000\u0000\u00f4\u0001\u0000\u0000\u0000\u0003\u0000\u00b4\u00aa\u00f8\u0090\r\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000098",
"base_address": "0x00400000"
},
"time": 1563501255.6561,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 57
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2280,
"buffer": ".m\u0000\u0000 m\u0000\u0000\u000em\u0000\u0000\u00fel\u0000\u0000\u00e2i\u0000\u0000\u00d2i\u0000\u0000\u00bei\u0000\u0000\u00a8i\u0000\u0000\u0096i\u0000\u0000|i\u0000\u0000ni\u0000\u0000Zi\u0000\u0000Fi\u0000\u00004i\u0000\u0000&i\u0000\u0000\u0016i\u0000\u0000\u0000\u0000\u0000\u0000Pg\u0000\u0000dg\u0000\u0000pg\u0000\u0000|g\u0000\u0000\u008ag\u0000\u0000\u009cg\u0000\u0000\u00a8g\u0000\u0000\u00bag\u0000\u0000\u00c8g\u0000\u0000\u00d6g\u0000\u0000\u00e2g\u0000\u0000\u00f0g\u0000\u0000\u00feg\u0000\u0000\fh\u0000\u0000 h\u0000\u00008h\u0000\u0000Dh\u0000\u0000Ph\u0000\u0000\\h\u0000\u0000rh\u0000\u0000zh\u0000\u0000\u0086h\u0000\u0000\u0092h\u0000\u0000\u00a6h\u0000\u0000\u00b6h\u0000\u00008l\u0000\u0000(l\u0000\u0000\u001cl\u0000\u0000\u0010l\u0000\u0000\u00fek\u0000\u0000>g\u0000\u0000.g\u0000\u0000\"g\u0000\u0000\u0016g\u0000\u0000\u0006g\u0000\u0000\u00f4f\u0000\u0000\u00e4f\u0000\u0000\u00d2f\u0000\u0000\u00c4f\u0000\u0000\u00b0f\u0000\u0000\u00a2f\u0000\u0000\u0094f\u0000\u0000~f\u0000\u0000\u00f0k\u0000\u0000Tl\u0000\u0000df\u0000\u0000\u00f2l\u0000\u0000\u00d6l\u0000\u0000\u00cal\u0000\u0000\u00bcl\u0000\u0000\u00acl\u0000\u0000\u00a0l\u0000\u0000\u008al\u0000\u0000tl\u0000\u0000hl\u0000\u0000\u00dck\u0000\u0000\u00c8k\u0000\u0000\u00b2k\u0000\u0000\u00a4k\u0000\u0000\u0090k\u0000\u0000\u0080k\u0000\u0000Lk\u0000\u0000bk\u0000\u0000pk\u0000\u0000\u0000\u0000\u0000\u0000fm\u0000\u0000\\\u0000\u0000\u0080\u0006j\u0000\u0000\u0000\u0000\u0000\u0000\u00f0e\u0000\u0000Nf\u0000\u0000Bf\u0000\u0000,f\u0000\u0000 f\u0000\u0000\u0016f\u0000\u0000\u0006f\u0000\u0000\u0000\u0000\u0000\u0000\u00d4h\u0000\u0000\u00f0h\u0000\u0000\u00fch\u0000\u0000\u00e4h\u0000\u0000\u0000\u0000\u0000\u0000\u00f0j\u0000\u0000\u00c8j\u0000\u0000\u00a6j\u0000\u0000\u0094j\u0000\u0000\u008aj\u0000\u0000tj\u0000\u0000Rj\u0000\u0000vm\u0000\u0000\fk\u0000\u0000\u001ck\u0000\u00002k\u0000\u0000\u00bej\u0000\u0000\u00d4j\u0000\u0000\u00cce\u0000\u0000\\j\u0000\u0000\u00b4e\u0000\u0000\u0082m\u0000\u0000\u0000\u0000\u0000\u0000$j\u0000\u00006j\u0000\u0000\u0000\u0000\u0000\u0000Unknown Device\u0000\u0000RBC Device\u0000\u0000Enclosure Device\u0000\u0000\u0000\u0000Array Device\u0000\u0000\u0000\u0000ASCIT8\u0000\u0000Comm. Device\u0000\u0000\u0000\u0000Media Changer\u0000\u0000\u0000Optical Disk\u0000\u0000\u0000\u0000Scanner Device\u0000\u0000CDROM Device\u0000\u0000\u0000\u0000WORM Device\u0000Processor Device\u0000\u0000\u0000\u0000Printer Device\u0000\u0000Tape Device\u0000Direct Access Device\u0000\u0000\u0000\u0000RAID\u0000\u0000\u0000\u0000USB\u0000FIBRE\u0000\u0000\u0000SSA\u0000IEEE 1394\u0000\u0000\u0000ATA\u0000ATAPI\u0000\u0000\u0000SCSI\u0000\u0000\u0000\u0000UNKNOWN\u0000 \u0000\t\u0000\"\u0000\u0000\u0000Sep 17 2015\u0000.bss\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ffI?@\u0000M?@\u0000`e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e6e\u0000\u0000\u008ca\u0000\u0000,e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Xf\u0000\u0000Xa\u0000\u0000\u0018d\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c6h\u0000\u0000D`\u0000\u0000Le\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ni\u0000\u0000xa\u0000\u0000\u00d4c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f8i\u0000\u0000\u0000`\u0000\u0000\u001ce\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0018j\u0000\u0000Ha\u0000\u0000\u00a8e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Hj\u0000\u0000\u00d4a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.m\u0000\u0000 m\u0000\u0000\u000em\u0000\u0000\u00fel\u0000\u0000\u00e2i\u0000\u0000\u00d2i\u0000\u0000\u00bei\u0000\u0000\u00a8i\u0000\u0000\u0096i\u0000\u0000|i\u0000\u0000ni\u0000\u0000Zi\u0000\u0000Fi\u0000\u00004i\u0000\u0000&i\u0000\u0000\u0016i\u0000\u0000\u0000\u0000\u0000\u0000Pg\u0000\u0000dg\u0000\u0000pg\u0000\u0000|g\u0000\u0000\u008ag\u0000\u0000\u009cg\u0000\u0000\u00a8g\u0000\u0000\u00bag\u0000\u0000\u00c8g\u0000\u0000\u00d6g\u0000\u0000\u00e2g\u0000\u0000\u00f0g\u0000\u0000\u00feg\u0000\u0000\fh\u0000\u0000 h\u0000\u00008h\u0000\u0000Dh\u0000\u0000Ph\u0000\u0000\\h\u0000\u0000rh\u0000\u0000zh\u0000\u0000\u0086h\u0000\u0000\u0092h\u0000\u0000\u00a6h\u0000\u0000\u00b6h\u0000\u00008l\u0000\u0000(l\u0000\u0000\u001cl\u0000\u0000\u0010l\u0000\u0000\u00fek\u0000\u0000>g\u0000\u0000.g\u0000\u0000\"g\u0000\u0000\u0016g\u0000\u0000\u0006g\u0000\u0000\u00f4f\u0000\u0000\u00e4f\u0000\u0000\u00d2f\u0000\u0000\u00c4f\u0000\u0000\u00b0f\u0000\u0000\u00a2f\u0000\u0000\u0094f\u0000\u0000~f\u0000\u0000\u00f0k\u0000\u0000Tl\u0000\u0000df\u0000\u0000\u00f2l\u0000\u0000\u00d6l\u0000\u0000\u00cal\u0000\u0000\u00bcl\u0000\u0000\u00acl\u0000\u0000\u00a0l\u0000\u0000\u008al\u0000\u0000tl\u0000\u0000hl\u0000\u0000\u00dck\u0000\u0000\u00c8k\u0000\u0000\u00b2k\u0000\u0000\u00a4k\u0000\u0000\u0090k\u0000\u0000\u0080k\u0000\u0000Lk\u0000\u0000bk\u0000\u0000pk\u0000\u0000\u0000\u0000\u0000\u0000fm\u0000\u0000\\\u0000\u0000\u0080\u0006j\u0000\u0000\u0000\u0000\u0000\u0000\u00f0e\u0000\u0000Nf\u0000\u0000Bf\u0000\u0000,f\u0000\u0000 f\u0000\u0000\u0016f\u0000\u0000\u0006f\u0000\u0000\u0000\u0000\u0000\u0000\u00d4h\u0000\u0000\u00f0h\u0000\u0000\u00fch\u0000\u0000\u00e4h\u0000\u0000\u0000\u0000\u0000\u0000\u00f0j\u0000\u0000\u00c8j\u0000\u0000\u00a6j\u0000\u0000\u0094j\u0000\u0000\u008aj\u0000\u0000tj\u0000\u0000Rj\u0000\u0000vm\u0000\u0000\fk\u0000\u0000\u001ck\u0000\u00002k\u0000\u0000\u00bej\u0000\u0000\u00d4j\u0000\u0000\u00cce\u0000\u0000\\j\u0000\u0000\u00b4e\u0000\u0000\u0082m\u0000\u0000\u0000\u0000\u0000\u0000$j\u0000\u00006j\u0000\u0000\u0000\u0000\u0000\u0000{\u0002RtlFreeUnicodeString\u0000\u0000\u0098\u0003RtlUpcaseUnicodeString\u0000\u0000ntdll.dll\u0000F\u0000PathFindExtensionA\u0000\u0000:\u0000PathCombineW\u0000\u0000\u000f\u0001StrChrA\u0000P\u0001StrTrimW\u0000\u0000G\u0000PathFindExtensionW\u0000\u00006\u0001StrRChrA\u0000\u0000\u0014\u0001StrChrW\u0000SHLWAPI.dll\u0000y\u0002GetSystemTimeAsFileTime\u0000\u00f9\u0004WaitForSingleObject\u0000\u00ce\u0002HeapDestroy\u0000\u00cd\u0002HeapCreate\u0000\u0000\u0015\u0002GetModuleHandleA\u0000\u0000\u0019\u0001ExitProcess\u0000\u0087\u0001GetCommandLineW\u0000C\u0001FindNextFileA\u00002\u0001FindFirstFileA\u0000\u0000\u0002\u0002GetLastError\u0000\u0000E\u0005lstrcmpiW\u0000\u00cb\u0002HeapAlloc\u0000\u0093\u0002GetTickCount\u0000\u0000E\u0002GetProcAddress\u0000\u0000\u00ac\u0004SetWaitableTimer\u0000\u0000?\u0005lstrcatW\u0000\u0000.\u0001FindClose\u0000\u00f2\u0001GetFileTime\u0000`\u0000CompareFileTime\u0000%\u0005WriteFile\u0000\u00a4\u0000CreateProcessA\u0000\u0000\u0088\u0000CreateFileA\u0000\u000f\u0004ResetEvent\u0000\u0000\u00cf\u0002HeapFree\u0000\u0000R\u0000CloseHandle\u0000\u00d6\u0000DeleteFileW\u0000\u008f\u0000CreateFileW\u0000\u0081\u0000CreateDirectoryW\u0000\u0000\u00bf\u0000CreateWaitableTimerA\u0000\u0000>\u0005lstrcatA\u0000\u0000H\u0005lstrcpyW\u0000\u0000Y\u0004SetEvent\u0000\u0000a\u0004SetFileAttributesW\u0000\u0000\u00b2\u0004Sleep\u0000N\u0005lstrlenW\u0000\u0000G\u0005lstrcpyA\u0000\u0000W\u0001FlushFileBuffers\u0000\u0000S\u0004SetEndOfFile\u0000\u0000\u0082\u0000CreateEventA\u0000\u0000KERNEL32.dll\u0000\u0000\u001f\u0001GetCursorInfo\u00003\u0003wsprintfW\u00002\u0003wsprintfA\u0000\u00f7\u0000FindWindowA\u0000USER32.dll\u0000\u00007\u0002RegCreateKeyA\u0000_\u0002RegOpenKeyA\u0000}\u0002RegSetValueExA\u0000\u0000\u00f7\u0001OpenProcessToken\u0000\u0000m\u0002RegQueryValueExA\u0000\u00000\u0002RegCloseKey\u0000X\u0001GetSidSubAuthorityCount\u0000~\u0002RegSetValueExW\u0000\u0000W\u0001GetSidSubAuthority\u0000\u0000n\u0002RegQueryValueExW\u0000\u0000`\u0002RegOpenKeyExA\u0000Z\u0001GetTokenInformation\u0000ADVAPI32.dll\u0000\u0000!\u0001ShellExecuteExW\u0000SHELL32.dll\u0000l\u0000CoUninitialize\u0000\u0000?\u0000CoInitializeEx\u0000\u0000ole32.dll\u0000F\u0005memcpy\u0000\u0000\u0091\u0001NtUnmapViewOfSection\u0000\u0000\u00ea\u0000NtMapViewOfSection\u0000\u0000H\u0005memset\u0000\u0000\u00aa\u0000NtCreateSection\u0000\u000b\u0003RtlNtStatusToDosError\u0000\u00e0\u0003ZwClose\u0000C\u0005mbstowcs\u0000\u0000i\u0004ZwQueryInformationProcess\u00000\u0001NtQuerySystemInformation\u0000\u0000H\u0004ZwOpenProcess\u0000I\u0004ZwOpenProcessToken\u0000\u0000k\u0004ZwQueryInformationToken\u0000\u00a9\u0000CreateRemoteThread\u0000\u0000\u0080\u0003OpenProcess\u0000\u00ba\u0004SuspendThread\u0000\u0013\u0004ResumeThread\u0000\u0000\u00f0\u0004VirtualProtectEx\u0000\u0000\u00a2\u0002GetVersion\u0000\u0000\u00c1\u0001GetCurrentProcessId\u0000\u000f\u0002GetLongPathNameW\u0000\u0000\u0082\u0002GetTempFileNameA\u0000\u0000\u00f0\u0001GetFileSize\u0000f\u0004SetFilePointer\u0000\u0000M\u0005lstrlenA\u0000\u0000\u00c0\u0003ReadFile\u0000\u0000\u0084\u0002GetTempPathA\u0000\u0000\u001d\u0001ExpandEnvironmentStringsW\u0000|\u0000CreateDirectoryA\u0000\u0000J\u0005lstrcpynA\u0000\u0013\u0002GetModuleFileNameA\u0000\u0000\u0014\u0002GetModuleFileNameW\u0000\u0000D\u0005lstrcmpiA\u0000\u00e9\u0004VirtualAlloc\u0000\u0000\u00ec\u0004VirtualFree\u0000H\u0003LocalFree\u0000\u001c\u0001ExpandEnvironmentStringsA\u0000A\u0005lstrcmpA\u0000\u0000N\u0002RegEnumKeyExA\u0000H\u0002RegDeleteValueW\u0000d\u0002RegOpenKeyW\u0000q\u0000ConvertStringSecurityDescriptorToSecurityDescriptorA\u0000\u0000\"\u0001ShellExecuteW\u0000\u0096\u0003RtlUnwind\u00005\u0001NtQueryVirtualMemory\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000098",
"base_address": "0x00406000"
},
"time": 1563501255.6561,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 59
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2280,
"buffer": "\u0003\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u000b\u0000\u0000\u0000\r\u0000\u0000\u0000kF\u00bf\u0088r4\u00a9\u00ba\u00e8\u0006\u00f3\u00bc\u009c\u0080\u0087\u00c4\u0004z]\u00f5\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000H\u008b\u00c4SUVWATAUAVAWH\u0083\u00ecHH\u008bQ0H\u008b\u00f9H\u0085\u00d2H\u0089P\u0010\u000f\u0084\u008d\u0002\u0000\u0000Hcr\u00bc\u0003?\u00ca\u00d4\u009a\u0081V\u00aeW\u0085\u001d{2\u00e7\u00b6j\u00af\u00d3\u00d7\u00bc\u0095%\u00c5\u000fL\u00c8B\u00ce\u00b3[#\u00eb\u00e2-v\u00a5\u00baq\u00c4\u0011\u00b3pO\u00c9\u00c6\u0017j\u00dfw?\f\u0015s\u008b\u00d4\u00f26\u00da\u00ae+Y\u00f0\u0007\/\u00ce\u0083@`\u0096\u001fx\u009a^\u00127\u00ce<\u00e4\u0097\u009a\u0087\u00c6\u00fc\u0016;\u0096Z\u00ad\u00b3{\u0095\u00e4\u00c4\u00a2-b6e\u00a8\u00ae\/\u00d9\u00f7\u0016\u00a0\u0091\u00b8\u00cdC\u00f6\u0082\u00dc\u00e4\u00c5\u00f5\u00bel\u00f9\u008f\r\u00b9!\u0018$\u001e\u0002\u001b\u00b2\u00dcT\u00c9\u00f9E\u0088W\u0003\u00cdF\u0019\u00e1)\u00ac+\u00f1\u0094\u009eM\u00c9\u00a4\u008e\u001fg\u00f1j\u00b9\u0006\f\u0013\u00ea\u00b7x\u00e3\u00ebq\u0002\u00f2XJ\u00cf\u00b9B\u00ba\u0089q\u00d6\u00d24G\u00e4z\u0010\u00c5\u0010\u00c8E\u0001\u0096!\u0090h\u00ff\u0001\u00b3>\u00bf\u00cf\u00c9\/,\u00e4\u0004dv\u0003\u00c2\u00acb\u0014\u0016\u00c6U\u00ba\u00d8\u0082\u0095\t\u008dj: Z\u0013\u00eb\u0010\u00bc\u0004\u00fe\u0096\u00c4p\u00ea\u00ef\u00d8;%\u008b\u0089\u00f9\u008d\u008d}\u00ca\u00f2\u00af\u00ed\u00c4f\t\u00b9\u0000\u00e0\u00fa|y\u00db\b\u00ce\u00ffi&T\u00a1\u00dfX\u00db(V\b9h\u00ffJ\u008aW\u00dc\u00f6\u001eM&\u00a1\u00e2\u00f5\u00e0j]\u00f5\u00da^O\u00a3\u008a\u0098\u009f\u00f58(\u0097pqqX:\u00cba\u00e3\t\u00bc\u00e5\u00d1Y\u00e4G\u00cd\u00ddC\u000e\u0098\u001c\u00f8\u00bf\u001eN\u00c9{\u00c4\u00ba\u00df\u0090\\w\u0083\u00ef\u0090\u00be\u00ab\u00f8a\u00de\u008b\u00f6\u00af\u009a\u0099E\u00aa\u00ca\u00c3\u0084\u001d\u0001\u00fb\u00f0\u009f\u00b4o?\u0087i\u00f1\u0083K`\u00f2[+\u0002\u00d8\u0096=\u00a4\u00d7\u00a6\u00b5^P\u00bf\u00e4\u0000Y\u00f8\u00169}+\u00b6\u00dd\u0019\u00f8M\u00cbr P\u0092\u0086\u00e6\u0018,\u00bc\u001fm\n\u00b6{gx\u0014OW\u00ff\u00f7:\u00c6\u00c7%\u00b9\u0094\u00d6@\u00c6a\u00c0.\u001fg\u00d9^\u00d3-g\u0011\"MA\u00c3\u00acW3A\u0018\u0092\u00e1\u0083\r(\u00f0A\u00db\u0098\u00e0c\n\u00c8\u00f2\u0010\u00cd\u0001<\u00cb+k\u0006\u00cd\u0090Xq-\u00ae\u00ec\u00a9\u00da\u00eb-r\u00b0\u00a5\u00e6c\u00d64\u00d2dr\u00c5\u00eb0\u0003\u0011\u00aa1\u00d7\u00e7\u00d3\u0019\u00c1f\u00fbbG\u001aM\u00ba\u00b0K\u00bca\u0002%\u00cfp\u00f7\u00b7\u00e8G\u00bf.\u0016\u0099\u0080\u00e2]\u00d6P\u0080\u00babKT\u00a6\u0002\u00cd\u0018(\u00d8>\u00dd\u00c9O_\u00d9#>\u0018\u00fa5+\u0016\u00a2\u00ab\u0093\u00eej\u00a6\u00dc\u00bc\bP|\u00b3\u00b3r\u0017\u00d1\u00b1\u00e8\u00e1\n\u00f0\tz`\u00bfrk\u00c7\/\u0004^\u000b\u0017x!x\u009e\u00b1\/-|\u00d7\u009a&\u00dc\u00ee\u00ee\u0096\u00ce|\u0014\u00c4\u00a7\u0095\u0007\u00d4PV\u00be \u00a2Q\u00da\u000e\u0018\u008ff\u00f7\u00df\u00ceo\u00a1\u00b8\u00a9\u00c7\u00a2\u0018\u0090\u00b6\u001c\u00cc\u0012z\u00ea\u0019\u00fah\u00a0\u00cejy\u0002\u001f:k\u00cac\u00c3\u00fd\u00a1\u00a0\u0080\u00bb\u00f8\u00f4q\u001e\u00ffAU~=q\u00db\u00a6\u00cahF9\u00aa\u00a4\u0084 \u00de6\u0083d\u00f6\f\u00bezM\u00042=\u00af\u00f1\u00db\u001d\u00acQ\u00ee_*[x\u0087\u0085B-XL\fV\u00d99\u00dc6\u00ef\u00f7$\u00eaS\u008ddf\u009aO\u0002\u008f1H\u00a5\u008aP*\u0095tBI\u0089%\u0084(-v\u009eJ\u00c9!\u008c%}}>L\u00a94\u00ac\u0012\u00fdV\u00bep)c\u00ac\u0094\u00fdm\u00be~)\u00bd\u00acd\u00fe\u00f5\u00bd\u0096-\u00a5\u00a8\u00b4\u00fd\u00f5\u00be\u00165\u00e5\u00a5t\u00f1\u00b5\u00a6\u0016\u0000\u00e5\u0096t\u0090\u00b5b\u0016\u00f8\u00e5\u00f0w,\u00b4*\u0017\u0098\u00e6Xq\f\u00b2J\u001a\u0018\u00fe\u0018i\u00cc\u00be\n)\u0018\u00cb\u0018\u00ad\u00cc\u00df\nG\u0018\u008f\u00184\u00e5F\u0018S\u0013D8\u00c3\u0014`\u00c5\u00cc\u001d!\u00a7\/M3\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000098",
"base_address": "0x00408000"
},
"time": 1563501255.6561,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 61
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2280,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x00000098",
"base_address": "0x7efde008"
},
"time": 1563501255.9691,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 63
}
],
"references": [],
"name": "injection_write_memory"
},
{
"markcount": 2,
"families": [],
"description": "Code injection by writing an executable or DLL to the memory of another process",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1616,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000iPa\u00ee-1\u000f\u00bd-1\u000f\u00bd-1\u000f\u00bd\n\u00f7r\u00bd,1\u000f\u00bd\n\u00f7b\u00bd\/1\u000f\u00bd$I\u009c\u00bd#1\u000f\u00bd-1\u000e\u00bd\u00b81\u000f\u00bd\u00ee>R\u00bd.1\u000f\u00bd\u00ee>P\u00bd,1\u000f\u00bd\u00ee>\u0000\u00bd.1\u000f\u00bd\n\u00f7~\u00bd41\u000f\u00bd\n\u00f7s\u00bd,1\u000f\u00bd\n\u00f7w\u00bd,1\u000f\u00bdRich-1\u000f\u00bd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0005\u0000\u0005\u0087\u00faU\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0003\u0001\u000b\u0001\b\u0000\u0000B\u0000\u0000\u0000\u001c\u0000\u0000\u0000\u0000\u0000\u0000v\u0010\u0000\u0000\u0000\u0010\u0000\u0000\u0000`\u0000\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0090\u0003\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004c\u0000\u0000\u00a0\u0000\u0000\u0000\u0000\u0090\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0000\u0000\u00e0\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000t@\u0000\u0000\u0000\u0010\u0000\u0000\u0000B\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rdata\u0000\u0000\u009a\r\u0000\u0000\u0000`\u0000\u0000\u0000\u000e\u0000\u0000\u0000F\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.data\u0000\u0000\u0000<\u0005\u0000\u0000\u0000p\u0000\u0000\u0000\u0004\u0000\u0000\u0000T\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.bss\u0000\u0000\u0000\u0000\u009a\u0005\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u0006\u0000\u0000\u0000X\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.rsrc\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0090\u0000\u0000\u0000\u00fc\u0002\u0000\u0000^\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000J1\u0000\u0000\u0000\u0092\u0000\u0000\u0000^\u0002\u0000\u00a7\u00ceuO\u0005\u0000\u0001\u0000J1\u0000\u0000\u0000\u00f4\u0001\u0000\u0000\u0000\u0003\u0000\u00b4\u00aa\u00f8\u0090\r\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x0000009c",
"base_address": "0x00400000"
},
"time": 1563501221.3284,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 64
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2280,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000iPa\u00ee-1\u000f\u00bd-1\u000f\u00bd-1\u000f\u00bd\n\u00f7r\u00bd,1\u000f\u00bd\n\u00f7b\u00bd\/1\u000f\u00bd$I\u009c\u00bd#1\u000f\u00bd-1\u000e\u00bd\u00b81\u000f\u00bd\u00ee>R\u00bd.1\u000f\u00bd\u00ee>P\u00bd,1\u000f\u00bd\u00ee>\u0000\u00bd.1\u000f\u00bd\n\u00f7~\u00bd41\u000f\u00bd\n\u00f7s\u00bd,1\u000f\u00bd\n\u00f7w\u00bd,1\u000f\u00bdRich-1\u000f\u00bd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0005\u0000\u0005\u0087\u00faU\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0003\u0001\u000b\u0001\b\u0000\u0000B\u0000\u0000\u0000\u001c\u0000\u0000\u0000\u0000\u0000\u0000v\u0010\u0000\u0000\u0000\u0010\u0000\u0000\u0000`\u0000\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0090\u0003\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004c\u0000\u0000\u00a0\u0000\u0000\u0000\u0000\u0090\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0000\u0000\u00e0\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000t@\u0000\u0000\u0000\u0010\u0000\u0000\u0000B\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rdata\u0000\u0000\u009a\r\u0000\u0000\u0000`\u0000\u0000\u0000\u000e\u0000\u0000\u0000F\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.data\u0000\u0000\u0000<\u0005\u0000\u0000\u0000p\u0000\u0000\u0000\u0004\u0000\u0000\u0000T\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.bss\u0000\u0000\u0000\u0000\u009a\u0005\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u0006\u0000\u0000\u0000X\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.rsrc\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0090\u0000\u0000\u0000\u00fc\u0002\u0000\u0000^\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000J1\u0000\u0000\u0000\u0092\u0000\u0000\u0000^\u0002\u0000\u00a7\u00ceuO\u0005\u0000\u0001\u0000J1\u0000\u0000\u0000\u00f4\u0001\u0000\u0000\u0000\u0003\u0000\u00b4\u00aa\u00f8\u0090\r\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000098",
"base_address": "0x00400000"
},
"time": 1563501255.6561,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 57
}
],
"references": [],
"name": "injection_write_memory_exe"
},
{
"markcount": 1,
"families": [],
"description": "Creates a windows hook that monitors keyboard input (keylogger)",
"severity": 3,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "SetWindowsHookExW",
"return_value": 24314413,
"arguments": {
"thread_identifier": 0,
"callback_function": "0x00000000ffe9ae10",
"module_address": "0x00000000ffdf0000",
"hook_identifier": 13
},
"time": 1563501285.7658,
"tid": 1828,
"flags": {
"hook_identifier": "WH_KEYBOARD_LL"
}
},
"pid": 1788,
"type": "call",
"cid": 802
}
],
"references": [],
"name": "infostealer_keylogger"
},
{
"markcount": 6,
"families": [],
"description": "Used NtSetContextThread to modify a thread in a remote process indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2732 called NtSetContextThread to modify thread in remote process 1616",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000a0",
"registers": {
"eip": 2008678852,
"esp": 3209584,
"edi": 0,
"eax": 4198518,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 1616
},
"time": 1563501221.3444,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 71
},
{
"category": "Process injection",
"ioc": "Process 2868 called NtSetContextThread to modify thread in remote process 2280",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000094",
"registers": {
"eip": 2008678852,
"esp": 2881688,
"edi": 0,
"eax": 4198518,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 2280
},
"time": 1563501255.9691,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 64
},
{
"category": "Process injection",
"ioc": "Process 2676 called NtSetContextThread to modify thread in remote process 1788",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000000000000d4",
"registers": {
"r14": 0,
"r9": 2006935856,
"rcx": 0,
"rsi": 0,
"r10": 0,
"rbx": 0,
"rdi": 0,
"r11": 0,
"r8": 0,
"rdx": 2006935856,
"rip": 43057688,
"rbp": 0,
"r15": 0,
"r12": 0,
"rsp": 156302648,
"rax": 43057152,
"r13": 0
},
"process_identifier": 1788
},
"time": 1563501314.9219,
"tid": 2456,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 429
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_ntsetcontextthread"
},
{
"markcount": 10,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2732 resumed a thread in remote process 1616",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000a0",
"suspend_count": 1,
"process_identifier": 1616
},
"time": 1563501222.3444,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 72
},
{
"category": "Process injection",
"ioc": "Process 2868 resumed a thread in remote process 2280",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000094",
"suspend_count": 1,
"process_identifier": 2280
},
"time": 1563501257.2811,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 65
},
{
"category": "Process injection",
"ioc": "Process 2280 resumed a thread in remote process 2676",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000100",
"suspend_count": 1,
"process_identifier": 2676
},
"time": 1563501265.8436,
"tid": 2600,
"flags": {}
},
"pid": 2280,
"type": "call",
"cid": 247
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000100",
"suspend_count": 1,
"process_identifier": 2676
},
"time": 1563501266.4996,
"tid": 2600,
"flags": {}
},
"pid": 2280,
"type": "call",
"cid": 250
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000100",
"suspend_count": 1,
"process_identifier": 2676
},
"time": 1563501269.1716,
"tid": 2600,
"flags": {}
},
"pid": 2280,
"type": "call",
"cid": 284
},
{
"category": "Process injection",
"ioc": "Process 2676 resumed a thread in remote process 1788",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000000000000d4",
"suspend_count": 1,
"process_identifier": 1788
},
"time": 1563501313.5939,
"tid": 2456,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 405
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
},
{
"markcount": 45,
"families": [],
"description": "Executed a process and injected code into it, probably while unpacking",
"severity": 5,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2576,
"thread_handle": "0x00000094",
"process_identifier": 2584,
"current_directory": "",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin",
"track": 1,
"command_line": "",
"filepath_r": "C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000098",
"inherit_handles": 0
},
"time": 1563501221.3124,
"tid": 2660,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 2732,
"type": "call",
"cid": 49
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtGetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000094"
},
"time": 1563501221.3124,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 51
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 1813,
"nt_status": -1073741686,
"api": "NtAllocateVirtualMemory",
"return_value": 3221225496,
"arguments": {
"process_identifier": 2584,
"region_size": 233472,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000098",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1563501221.3124,
"tid": 2660,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2732,
"type": "call",
"cid": 53
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 816,
"thread_handle": "0x000000a0",
"process_identifier": 1616,
"current_directory": "",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin",
"track": 1,
"command_line": "",
"filepath_r": "C:\\Users\\cuck\\AppData\\Local\\Temp\\5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca.bin",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x0000009c",
"inherit_handles": 0
},
"time": 1563501221.3284,
"tid": 2660,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 2732,
"type": "call",
"cid": 59
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtGetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000a0"
},
"time": 1563501221.3284,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 61
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1616,
"region_size": 233472,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x0000009c",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1563501221.3284,
"tid": 2660,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2732,
"type": "call",
"cid": 63
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1616,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000iPa\u00ee-1\u000f\u00bd-1\u000f\u00bd-1\u000f\u00bd\n\u00f7r\u00bd,1\u000f\u00bd\n\u00f7b\u00bd\/1\u000f\u00bd$I\u009c\u00bd#1\u000f\u00bd-1\u000e\u00bd\u00b81\u000f\u00bd\u00ee>R\u00bd.1\u000f\u00bd\u00ee>P\u00bd,1\u000f\u00bd\u00ee>\u0000\u00bd.1\u000f\u00bd\n\u00f7~\u00bd41\u000f\u00bd\n\u00f7s\u00bd,1\u000f\u00bd\n\u00f7w\u00bd,1\u000f\u00bdRich-1\u000f\u00bd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0005\u0000\u0005\u0087\u00faU\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0003\u0001\u000b\u0001\b\u0000\u0000B\u0000\u0000\u0000\u001c\u0000\u0000\u0000\u0000\u0000\u0000v\u0010\u0000\u0000\u0000\u0010\u0000\u0000\u0000`\u0000\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0090\u0003\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004c\u0000\u0000\u00a0\u0000\u0000\u0000\u0000\u0090\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0000\u0000\u00e0\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000t@\u0000\u0000\u0000\u0010\u0000\u0000\u0000B\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rdata\u0000\u0000\u009a\r\u0000\u0000\u0000`\u0000\u0000\u0000\u000e\u0000\u0000\u0000F\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.data\u0000\u0000\u0000<\u0005\u0000\u0000\u0000p\u0000\u0000\u0000\u0004\u0000\u0000\u0000T\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.bss\u0000\u0000\u0000\u0000\u009a\u0005\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u0006\u0000\u0000\u0000X\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.rsrc\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0090\u0000\u0000\u0000\u00fc\u0002\u0000\u0000^\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000J1\u0000\u0000\u0000\u0092\u0000\u0000\u0000^\u0002\u0000\u00a7\u00ceuO\u0005\u0000\u0001\u0000J1\u0000\u0000\u0000\u00f4\u0001\u0000\u0000\u0000\u0003\u0000\u00b4\u00aa\u00f8\u0090\r\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x0000009c",
"base_address": "0x00400000"
},
"time": 1563501221.3284,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 64
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "3c54ae25097f4d47bcd79ca3a57c566b3c73898f",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1616,
"buffer": "",
"process_handle": "0x0000009c",
"base_address": "0x00401000"
},
"time": 1563501221.3284,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 65
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1616,
"buffer": ".m\u0000\u0000 m\u0000\u0000\u000em\u0000\u0000\u00fel\u0000\u0000\u00e2i\u0000\u0000\u00d2i\u0000\u0000\u00bei\u0000\u0000\u00a8i\u0000\u0000\u0096i\u0000\u0000|i\u0000\u0000ni\u0000\u0000Zi\u0000\u0000Fi\u0000\u00004i\u0000\u0000&i\u0000\u0000\u0016i\u0000\u0000\u0000\u0000\u0000\u0000Pg\u0000\u0000dg\u0000\u0000pg\u0000\u0000|g\u0000\u0000\u008ag\u0000\u0000\u009cg\u0000\u0000\u00a8g\u0000\u0000\u00bag\u0000\u0000\u00c8g\u0000\u0000\u00d6g\u0000\u0000\u00e2g\u0000\u0000\u00f0g\u0000\u0000\u00feg\u0000\u0000\fh\u0000\u0000 h\u0000\u00008h\u0000\u0000Dh\u0000\u0000Ph\u0000\u0000\\h\u0000\u0000rh\u0000\u0000zh\u0000\u0000\u0086h\u0000\u0000\u0092h\u0000\u0000\u00a6h\u0000\u0000\u00b6h\u0000\u00008l\u0000\u0000(l\u0000\u0000\u001cl\u0000\u0000\u0010l\u0000\u0000\u00fek\u0000\u0000>g\u0000\u0000.g\u0000\u0000\"g\u0000\u0000\u0016g\u0000\u0000\u0006g\u0000\u0000\u00f4f\u0000\u0000\u00e4f\u0000\u0000\u00d2f\u0000\u0000\u00c4f\u0000\u0000\u00b0f\u0000\u0000\u00a2f\u0000\u0000\u0094f\u0000\u0000~f\u0000\u0000\u00f0k\u0000\u0000Tl\u0000\u0000df\u0000\u0000\u00f2l\u0000\u0000\u00d6l\u0000\u0000\u00cal\u0000\u0000\u00bcl\u0000\u0000\u00acl\u0000\u0000\u00a0l\u0000\u0000\u008al\u0000\u0000tl\u0000\u0000hl\u0000\u0000\u00dck\u0000\u0000\u00c8k\u0000\u0000\u00b2k\u0000\u0000\u00a4k\u0000\u0000\u0090k\u0000\u0000\u0080k\u0000\u0000Lk\u0000\u0000bk\u0000\u0000pk\u0000\u0000\u0000\u0000\u0000\u0000fm\u0000\u0000\\\u0000\u0000\u0080\u0006j\u0000\u0000\u0000\u0000\u0000\u0000\u00f0e\u0000\u0000Nf\u0000\u0000Bf\u0000\u0000,f\u0000\u0000 f\u0000\u0000\u0016f\u0000\u0000\u0006f\u0000\u0000\u0000\u0000\u0000\u0000\u00d4h\u0000\u0000\u00f0h\u0000\u0000\u00fch\u0000\u0000\u00e4h\u0000\u0000\u0000\u0000\u0000\u0000\u00f0j\u0000\u0000\u00c8j\u0000\u0000\u00a6j\u0000\u0000\u0094j\u0000\u0000\u008aj\u0000\u0000tj\u0000\u0000Rj\u0000\u0000vm\u0000\u0000\fk\u0000\u0000\u001ck\u0000\u00002k\u0000\u0000\u00bej\u0000\u0000\u00d4j\u0000\u0000\u00cce\u0000\u0000\\j\u0000\u0000\u00b4e\u0000\u0000\u0082m\u0000\u0000\u0000\u0000\u0000\u0000$j\u0000\u00006j\u0000\u0000\u0000\u0000\u0000\u0000Unknown Device\u0000\u0000RBC Device\u0000\u0000Enclosure Device\u0000\u0000\u0000\u0000Array Device\u0000\u0000\u0000\u0000ASCIT8\u0000\u0000Comm. Device\u0000\u0000\u0000\u0000Media Changer\u0000\u0000\u0000Optical Disk\u0000\u0000\u0000\u0000Scanner Device\u0000\u0000CDROM Device\u0000\u0000\u0000\u0000WORM Device\u0000Processor Device\u0000\u0000\u0000\u0000Printer Device\u0000\u0000Tape Device\u0000Direct Access Device\u0000\u0000\u0000\u0000RAID\u0000\u0000\u0000\u0000USB\u0000FIBRE\u0000\u0000\u0000SSA\u0000IEEE 1394\u0000\u0000\u0000ATA\u0000ATAPI\u0000\u0000\u0000SCSI\u0000\u0000\u0000\u0000UNKNOWN\u0000 \u0000\t\u0000\"\u0000\u0000\u0000Sep 17 2015\u0000.bss\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ffI?@\u0000M?@\u0000`e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e6e\u0000\u0000\u008ca\u0000\u0000,e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Xf\u0000\u0000Xa\u0000\u0000\u0018d\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c6h\u0000\u0000D`\u0000\u0000Le\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ni\u0000\u0000xa\u0000\u0000\u00d4c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f8i\u0000\u0000\u0000`\u0000\u0000\u001ce\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0018j\u0000\u0000Ha\u0000\u0000\u00a8e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Hj\u0000\u0000\u00d4a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.m\u0000\u0000 m\u0000\u0000\u000em\u0000\u0000\u00fel\u0000\u0000\u00e2i\u0000\u0000\u00d2i\u0000\u0000\u00bei\u0000\u0000\u00a8i\u0000\u0000\u0096i\u0000\u0000|i\u0000\u0000ni\u0000\u0000Zi\u0000\u0000Fi\u0000\u00004i\u0000\u0000&i\u0000\u0000\u0016i\u0000\u0000\u0000\u0000\u0000\u0000Pg\u0000\u0000dg\u0000\u0000pg\u0000\u0000|g\u0000\u0000\u008ag\u0000\u0000\u009cg\u0000\u0000\u00a8g\u0000\u0000\u00bag\u0000\u0000\u00c8g\u0000\u0000\u00d6g\u0000\u0000\u00e2g\u0000\u0000\u00f0g\u0000\u0000\u00feg\u0000\u0000\fh\u0000\u0000 h\u0000\u00008h\u0000\u0000Dh\u0000\u0000Ph\u0000\u0000\\h\u0000\u0000rh\u0000\u0000zh\u0000\u0000\u0086h\u0000\u0000\u0092h\u0000\u0000\u00a6h\u0000\u0000\u00b6h\u0000\u00008l\u0000\u0000(l\u0000\u0000\u001cl\u0000\u0000\u0010l\u0000\u0000\u00fek\u0000\u0000>g\u0000\u0000.g\u0000\u0000\"g\u0000\u0000\u0016g\u0000\u0000\u0006g\u0000\u0000\u00f4f\u0000\u0000\u00e4f\u0000\u0000\u00d2f\u0000\u0000\u00c4f\u0000\u0000\u00b0f\u0000\u0000\u00a2f\u0000\u0000\u0094f\u0000\u0000~f\u0000\u0000\u00f0k\u0000\u0000Tl\u0000\u0000df\u0000\u0000\u00f2l\u0000\u0000\u00d6l\u0000\u0000\u00cal\u0000\u0000\u00bcl\u0000\u0000\u00acl\u0000\u0000\u00a0l\u0000\u0000\u008al\u0000\u0000tl\u0000\u0000hl\u0000\u0000\u00dck\u0000\u0000\u00c8k\u0000\u0000\u00b2k\u0000\u0000\u00a4k\u0000\u0000\u0090k\u0000\u0000\u0080k\u0000\u0000Lk\u0000\u0000bk\u0000\u0000pk\u0000\u0000\u0000\u0000\u0000\u0000fm\u0000\u0000\\\u0000\u0000\u0080\u0006j\u0000\u0000\u0000\u0000\u0000\u0000\u00f0e\u0000\u0000Nf\u0000\u0000Bf\u0000\u0000,f\u0000\u0000 f\u0000\u0000\u0016f\u0000\u0000\u0006f\u0000\u0000\u0000\u0000\u0000\u0000\u00d4h\u0000\u0000\u00f0h\u0000\u0000\u00fch\u0000\u0000\u00e4h\u0000\u0000\u0000\u0000\u0000\u0000\u00f0j\u0000\u0000\u00c8j\u0000\u0000\u00a6j\u0000\u0000\u0094j\u0000\u0000\u008aj\u0000\u0000tj\u0000\u0000Rj\u0000\u0000vm\u0000\u0000\fk\u0000\u0000\u001ck\u0000\u00002k\u0000\u0000\u00bej\u0000\u0000\u00d4j\u0000\u0000\u00cce\u0000\u0000\\j\u0000\u0000\u00b4e\u0000\u0000\u0082m\u0000\u0000\u0000\u0000\u0000\u0000$j\u0000\u00006j\u0000\u0000\u0000\u0000\u0000\u0000{\u0002RtlFreeUnicodeString\u0000\u0000\u0098\u0003RtlUpcaseUnicodeString\u0000\u0000ntdll.dll\u0000F\u0000PathFindExtensionA\u0000\u0000:\u0000PathCombineW\u0000\u0000\u000f\u0001StrChrA\u0000P\u0001StrTrimW\u0000\u0000G\u0000PathFindExtensionW\u0000\u00006\u0001StrRChrA\u0000\u0000\u0014\u0001StrChrW\u0000SHLWAPI.dll\u0000y\u0002GetSystemTimeAsFileTime\u0000\u00f9\u0004WaitForSingleObject\u0000\u00ce\u0002HeapDestroy\u0000\u00cd\u0002HeapCreate\u0000\u0000\u0015\u0002GetModuleHandleA\u0000\u0000\u0019\u0001ExitProcess\u0000\u0087\u0001GetCommandLineW\u0000C\u0001FindNextFileA\u00002\u0001FindFirstFileA\u0000\u0000\u0002\u0002GetLastError\u0000\u0000E\u0005lstrcmpiW\u0000\u00cb\u0002HeapAlloc\u0000\u0093\u0002GetTickCount\u0000\u0000E\u0002GetProcAddress\u0000\u0000\u00ac\u0004SetWaitableTimer\u0000\u0000?\u0005lstrcatW\u0000\u0000.\u0001FindClose\u0000\u00f2\u0001GetFileTime\u0000`\u0000CompareFileTime\u0000%\u0005WriteFile\u0000\u00a4\u0000CreateProcessA\u0000\u0000\u0088\u0000CreateFileA\u0000\u000f\u0004ResetEvent\u0000\u0000\u00cf\u0002HeapFree\u0000\u0000R\u0000CloseHandle\u0000\u00d6\u0000DeleteFileW\u0000\u008f\u0000CreateFileW\u0000\u0081\u0000CreateDirectoryW\u0000\u0000\u00bf\u0000CreateWaitableTimerA\u0000\u0000>\u0005lstrcatA\u0000\u0000H\u0005lstrcpyW\u0000\u0000Y\u0004SetEvent\u0000\u0000a\u0004SetFileAttributesW\u0000\u0000\u00b2\u0004Sleep\u0000N\u0005lstrlenW\u0000\u0000G\u0005lstrcpyA\u0000\u0000W\u0001FlushFileBuffers\u0000\u0000S\u0004SetEndOfFile\u0000\u0000\u0082\u0000CreateEventA\u0000\u0000KERNEL32.dll\u0000\u0000\u001f\u0001GetCursorInfo\u00003\u0003wsprintfW\u00002\u0003wsprintfA\u0000\u00f7\u0000FindWindowA\u0000USER32.dll\u0000\u00007\u0002RegCreateKeyA\u0000_\u0002RegOpenKeyA\u0000}\u0002RegSetValueExA\u0000\u0000\u00f7\u0001OpenProcessToken\u0000\u0000m\u0002RegQueryValueExA\u0000\u00000\u0002RegCloseKey\u0000X\u0001GetSidSubAuthorityCount\u0000~\u0002RegSetValueExW\u0000\u0000W\u0001GetSidSubAuthority\u0000\u0000n\u0002RegQueryValueExW\u0000\u0000`\u0002RegOpenKeyExA\u0000Z\u0001GetTokenInformation\u0000ADVAPI32.dll\u0000\u0000!\u0001ShellExecuteExW\u0000SHELL32.dll\u0000l\u0000CoUninitialize\u0000\u0000?\u0000CoInitializeEx\u0000\u0000ole32.dll\u0000F\u0005memcpy\u0000\u0000\u0091\u0001NtUnmapViewOfSection\u0000\u0000\u00ea\u0000NtMapViewOfSection\u0000\u0000H\u0005memset\u0000\u0000\u00aa\u0000NtCreateSection\u0000\u000b\u0003RtlNtStatusToDosError\u0000\u00e0\u0003ZwClose\u0000C\u0005mbstowcs\u0000\u0000i\u0004ZwQueryInformationProcess\u00000\u0001NtQuerySystemInformation\u0000\u0000H\u0004ZwOpenProcess\u0000I\u0004ZwOpenProcessToken\u0000\u0000k\u0004ZwQueryInformationToken\u0000\u00a9\u0000CreateRemoteThread\u0000\u0000\u0080\u0003OpenProcess\u0000\u00ba\u0004SuspendThread\u0000\u0013\u0004ResumeThread\u0000\u0000\u00f0\u0004VirtualProtectEx\u0000\u0000\u00a2\u0002GetVersion\u0000\u0000\u00c1\u0001GetCurrentProcessId\u0000\u000f\u0002GetLongPathNameW\u0000\u0000\u0082\u0002GetTempFileNameA\u0000\u0000\u00f0\u0001GetFileSize\u0000f\u0004SetFilePointer\u0000\u0000M\u0005lstrlenA\u0000\u0000\u00c0\u0003ReadFile\u0000\u0000\u0084\u0002GetTempPathA\u0000\u0000\u001d\u0001ExpandEnvironmentStringsW\u0000|\u0000CreateDirectoryA\u0000\u0000J\u0005lstrcpynA\u0000\u0013\u0002GetModuleFileNameA\u0000\u0000\u0014\u0002GetModuleFileNameW\u0000\u0000D\u0005lstrcmpiA\u0000\u00e9\u0004VirtualAlloc\u0000\u0000\u00ec\u0004VirtualFree\u0000H\u0003LocalFree\u0000\u001c\u0001ExpandEnvironmentStringsA\u0000A\u0005lstrcmpA\u0000\u0000N\u0002RegEnumKeyExA\u0000H\u0002RegDeleteValueW\u0000d\u0002RegOpenKeyW\u0000q\u0000ConvertStringSecurityDescriptorToSecurityDescriptorA\u0000\u0000\"\u0001ShellExecuteW\u0000\u0096\u0003RtlUnwind\u00005\u0001NtQueryVirtualMemory\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x0000009c",
"base_address": "0x00406000"
},
"time": 1563501221.3284,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 66
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1616,
"buffer": "\u0003\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u000b\u0000\u0000\u0000\r\u0000\u0000\u0000kF\u00bf\u0088r4\u00a9\u00ba\u00e8\u0006\u00f3\u00bc\u009c\u0080\u0087\u00c4\u0004z]\u00f5\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000H\u008b\u00c4SUVWATAUAVAWH\u0083\u00ecHH\u008bQ0H\u008b\u00f9H\u0085\u00d2H\u0089P\u0010\u000f\u0084\u008d\u0002\u0000\u0000Hcr\u00bc\u0003?\u00ca\u00d4\u009a\u0081V\u00aeW\u0085\u001d{2\u00e7\u00b6j\u00af\u00d3\u00d7\u00bc\u0095%\u00c5\u000fL\u00c8B\u00ce\u00b3[#\u00eb\u00e2-v\u00a5\u00baq\u00c4\u0011\u00b3pO\u00c9\u00c6\u0017j\u00dfw?\f\u0015s\u008b\u00d4\u00f26\u00da\u00ae+Y\u00f0\u0007\/\u00ce\u0083@`\u0096\u001fx\u009a^\u00127\u00ce<\u00e4\u0097\u009a\u0087\u00c6\u00fc\u0016;\u0096Z\u00ad\u00b3{\u0095\u00e4\u00c4\u00a2-b6e\u00a8\u00ae\/\u00d9\u00f7\u0016\u00a0\u0091\u00b8\u00cdC\u00f6\u0082\u00dc\u00e4\u00c5\u00f5\u00bel\u00f9\u008f\r\u00b9!\u0018$\u001e\u0002\u001b\u00b2\u00dcT\u00c9\u00f9E\u0088W\u0003\u00cdF\u0019\u00e1)\u00ac+\u00f1\u0094\u009eM\u00c9\u00a4\u008e\u001fg\u00f1j\u00b9\u0006\f\u0013\u00ea\u00b7x\u00e3\u00ebq\u0002\u00f2XJ\u00cf\u00b9B\u00ba\u0089q\u00d6\u00d24G\u00e4z\u0010\u00c5\u0010\u00c8E\u0001\u0096!\u0090h\u00ff\u0001\u00b3>\u00bf\u00cf\u00c9\/,\u00e4\u0004dv\u0003\u00c2\u00acb\u0014\u0016\u00c6U\u00ba\u00d8\u0082\u0095\t\u008dj: Z\u0013\u00eb\u0010\u00bc\u0004\u00fe\u0096\u00c4p\u00ea\u00ef\u00d8;%\u008b\u0089\u00f9\u008d\u008d}\u00ca\u00f2\u00af\u00ed\u00c4f\t\u00b9\u0000\u00e0\u00fa|y\u00db\b\u00ce\u00ffi&T\u00a1\u00dfX\u00db(V\b9h\u00ffJ\u008aW\u00dc\u00f6\u001eM&\u00a1\u00e2\u00f5\u00e0j]\u00f5\u00da^O\u00a3\u008a\u0098\u009f\u00f58(\u0097pqqX:\u00cba\u00e3\t\u00bc\u00e5\u00d1Y\u00e4G\u00cd\u00ddC\u000e\u0098\u001c\u00f8\u00bf\u001eN\u00c9{\u00c4\u00ba\u00df\u0090\\w\u0083\u00ef\u0090\u00be\u00ab\u00f8a\u00de\u008b\u00f6\u00af\u009a\u0099E\u00aa\u00ca\u00c3\u0084\u001d\u0001\u00fb\u00f0\u009f\u00b4o?\u0087i\u00f1\u0083K`\u00f2[+\u0002\u00d8\u0096=\u00a4\u00d7\u00a6\u00b5^P\u00bf\u00e4\u0000Y\u00f8\u00169}+\u00b6\u00dd\u0019\u00f8M\u00cbr P\u0092\u0086\u00e6\u0018,\u00bc\u001fm\n\u00b6{gx\u0014OW\u00ff\u00f7:\u00c6\u00c7%\u00b9\u0094\u00d6@\u00c6a\u00c0.\u001fg\u00d9^\u00d3-g\u0011\"MA\u00c3\u00acW3A\u0018\u0092\u00e1\u0083\r(\u00f0A\u00db\u0098\u00e0c\n\u00c8\u00f2\u0010\u00cd\u0001<\u00cb+k\u0006\u00cd\u0090Xq-\u00ae\u00ec\u00a9\u00da\u00eb-r\u00b0\u00a5\u00e6c\u00d64\u00d2dr\u00c5\u00eb0\u0003\u0011\u00aa1\u00d7\u00e7\u00d3\u0019\u00c1f\u00fbbG\u001aM\u00ba\u00b0K\u00bca\u0002%\u00cfp\u00f7\u00b7\u00e8G\u00bf.\u0016\u0099\u0080\u00e2]\u00d6P\u0080\u00babKT\u00a6\u0002\u00cd\u0018(\u00d8>\u00dd\u00c9O_\u00d9#>\u0018\u00fa5+\u0016\u00a2\u00ab\u0093\u00eej\u00a6\u00dc\u00bc\bP|\u00b3\u00b3r\u0017\u00d1\u00b1\u00e8\u00e1\n\u00f0\tz`\u00bfrk\u00c7\/\u0004^\u000b\u0017x!x\u009e\u00b1\/-|\u00d7\u009a&\u00dc\u00ee\u00ee\u0096\u00ce|\u0014\u00c4\u00a7\u0095\u0007\u00d4PV\u00be \u00a2Q\u00da\u000e\u0018\u008ff\u00f7\u00df\u00ceo\u00a1\u00b8\u00a9\u00c7\u00a2\u0018\u0090\u00b6\u001c\u00cc\u0012z\u00ea\u0019\u00fah\u00a0\u00cejy\u0002\u001f:k\u00cac\u00c3\u00fd\u00a1\u00a0\u0080\u00bb\u00f8\u00f4q\u001e\u00ffAU~=q\u00db\u00a6\u00cahF9\u00aa\u00a4\u0084 \u00de6\u0083d\u00f6\f\u00bezM\u00042=\u00af\u00f1\u00db\u001d\u00acQ\u00ee_*[x\u0087\u0085B-XL\fV\u00d99\u00dc6\u00ef\u00f7$\u00eaS\u008ddf\u009aO\u0002\u008f1H\u00a5\u008aP*\u0095tBI\u0089%\u0084(-v\u009eJ\u00c9!\u008c%}}>L\u00a94\u00ac\u0012\u00fdV\u00bep)c\u00ac\u0094\u00fdm\u00be~)\u00bd\u00acd\u00fe\u00f5\u00bd\u0096-\u00a5\u00a8\u00b4\u00fd\u00f5\u00be\u00165\u00e5\u00a5t\u00f1\u00b5\u00a6\u0016\u0000\u00e5\u0096t\u0090\u00b5b\u0016\u00f8\u00e5\u00f0w,\u00b4*\u0017\u0098\u00e6Xq\f\u00b2J\u001a\u0018\u00fe\u0018i\u00cc\u00be\n)\u0018\u00cb\u0018\u00ad\u00cc\u00df\nG\u0018\u008f\u00184\u00e5F\u0018S\u0013D8\u00c3\u0014`\u00c5\u00cc\u001d!\u00a7\/M3\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x0000009c",
"base_address": "0x00408000"
},
"time": 1563501221.3284,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 68
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "29f31b5023708055057f2f94c56f56e18aa4d662",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1616,
"buffer": "",
"process_handle": "0x0000009c",
"base_address": "0x00409000"
},
"time": 1563501221.3284,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 69
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 1616,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x0000009c",
"base_address": "0x7efde008"
},
"time": 1563501221.3444,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 70
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000a0",
"registers": {
"eip": 2008678852,
"esp": 3209584,
"edi": 0,
"eax": 4198518,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 1616
},
"time": 1563501221.3444,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 71
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000a0",
"suspend_count": 1,
"process_identifier": 1616
},
"time": 1563501222.3444,
"tid": 2660,
"flags": {}
},
"pid": 2732,
"type": "call",
"cid": 72
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000e8",
"suspend_count": 1,
"process_identifier": 1616
},
"time": 1563501224.0001,
"tid": 816,
"flags": {}
},
"pid": 1616,
"type": "call",
"cid": 112
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2248,
"thread_handle": "0x0000027c",
"process_identifier": 1576,
"current_directory": "C:\\Users\\cuck\\AppData\\Local\\Temp",
"filepath": "",
"track": 1,
"command_line": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\7E3B\\79B3.bat\" \"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" \"C:\\Users\\cuck\\AppData\\Local\\Temp\\5B71B3~1.BIN\"",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 67634192,
"process_handle": "0x00000274",
"inherit_handles": 0
},
"time": 1563501224.1251,
"tid": 816,
"flags": {
"creation_flags": "CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT"
}
},
"pid": 1616,
"type": "call",
"cid": 238
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2516,
"thread_handle": "0x00000084",
"process_identifier": 2624,
"current_directory": "C:\\Users\\cuck\\AppData\\Local\\Temp",
"filepath": "C:\\Windows\\System32\\cmd.exe",
"track": 1,
"command_line": "cmd \/C \"\"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" \"C:\\Users\\cuck\\AppData\\Local\\Temp\\5B71B3~1.BIN\"\"",
"filepath_r": "C:\\Windows\\system32\\cmd.exe",
"stack_pivoted": 0,
"creation_flags": 524288,
"process_handle": "0x00000080",
"inherit_handles": 1
},
"time": 1563501224.3278,
"tid": 2248,
"flags": {
"creation_flags": "EXTENDED_STARTUPINFO_PRESENT"
}
},
"pid": 1576,
"type": "call",
"cid": 270
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2164,
"thread_handle": "0x00000080",
"process_identifier": 2868,
"current_directory": "C:\\Users\\cuck\\AppData\\Local\\Temp",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"track": 1,
"command_line": "\"C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe\" \"C:\\Users\\cuck\\AppData\\Local\\Temp\\5B71B3~1.BIN\"",
"filepath_r": "C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"stack_pivoted": 0,
"creation_flags": 524288,
"process_handle": "0x00000084",
"inherit_handles": 1
},
"time": 1563501224.4992,
"tid": 2516,
"flags": {
"creation_flags": "EXTENDED_STARTUPINFO_PRESENT"
}
},
"pid": 2624,
"type": "call",
"cid": 70
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2600,
"thread_handle": "0x00000094",
"process_identifier": 2280,
"current_directory": "",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"track": 1,
"command_line": "",
"filepath_r": "C:\\Users\\cuck\\AppData\\Roaming\\api-tnet\\AudiORes.exe",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000098",
"inherit_handles": 0
},
"time": 1563501255.6561,
"tid": 2164,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 2868,
"type": "call",
"cid": 52
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtGetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000094"
},
"time": 1563501255.6561,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 54
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2280,
"region_size": 233472,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000098",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1563501255.6561,
"tid": 2164,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2868,
"type": "call",
"cid": 56
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2280,
"buffer": "MZ\u0090\u0000\u0003\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u00ff\u00ff\u0000\u0000\u00b8\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f0\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000iPa\u00ee-1\u000f\u00bd-1\u000f\u00bd-1\u000f\u00bd\n\u00f7r\u00bd,1\u000f\u00bd\n\u00f7b\u00bd\/1\u000f\u00bd$I\u009c\u00bd#1\u000f\u00bd-1\u000e\u00bd\u00b81\u000f\u00bd\u00ee>R\u00bd.1\u000f\u00bd\u00ee>P\u00bd,1\u000f\u00bd\u00ee>\u0000\u00bd.1\u000f\u00bd\n\u00f7~\u00bd41\u000f\u00bd\n\u00f7s\u00bd,1\u000f\u00bd\n\u00f7w\u00bd,1\u000f\u00bdRich-1\u000f\u00bd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0005\u0000\u0005\u0087\u00faU\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0003\u0001\u000b\u0001\b\u0000\u0000B\u0000\u0000\u0000\u001c\u0000\u0000\u0000\u0000\u0000\u0000v\u0010\u0000\u0000\u0000\u0010\u0000\u0000\u0000`\u0000\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0090\u0003\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004c\u0000\u0000\u00a0\u0000\u0000\u0000\u0000\u0090\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000`\u0000\u0000\u00e0\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000t@\u0000\u0000\u0000\u0010\u0000\u0000\u0000B\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`.rdata\u0000\u0000\u009a\r\u0000\u0000\u0000`\u0000\u0000\u0000\u000e\u0000\u0000\u0000F\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@.data\u0000\u0000\u0000<\u0005\u0000\u0000\u0000p\u0000\u0000\u0000\u0004\u0000\u0000\u0000T\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.bss\u0000\u0000\u0000\u0000\u009a\u0005\u0000\u0000\u0000\u0080\u0000\u0000\u0000\u0006\u0000\u0000\u0000X\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000\u00c0.rsrc\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0090\u0000\u0000\u0000\u00fc\u0002\u0000\u0000^\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u0000\u0000@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000J1\u0000\u0000\u0000\u0092\u0000\u0000\u0000^\u0002\u0000\u00a7\u00ceuO\u0005\u0000\u0001\u0000J1\u0000\u0000\u0000\u00f4\u0001\u0000\u0000\u0000\u0003\u0000\u00b4\u00aa\u00f8\u0090\r\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000098",
"base_address": "0x00400000"
},
"time": 1563501255.6561,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 57
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "3c54ae25097f4d47bcd79ca3a57c566b3c73898f",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2280,
"buffer": "",
"process_handle": "0x00000098",
"base_address": "0x00401000"
},
"time": 1563501255.6561,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 58
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2280,
"buffer": ".m\u0000\u0000 m\u0000\u0000\u000em\u0000\u0000\u00fel\u0000\u0000\u00e2i\u0000\u0000\u00d2i\u0000\u0000\u00bei\u0000\u0000\u00a8i\u0000\u0000\u0096i\u0000\u0000|i\u0000\u0000ni\u0000\u0000Zi\u0000\u0000Fi\u0000\u00004i\u0000\u0000&i\u0000\u0000\u0016i\u0000\u0000\u0000\u0000\u0000\u0000Pg\u0000\u0000dg\u0000\u0000pg\u0000\u0000|g\u0000\u0000\u008ag\u0000\u0000\u009cg\u0000\u0000\u00a8g\u0000\u0000\u00bag\u0000\u0000\u00c8g\u0000\u0000\u00d6g\u0000\u0000\u00e2g\u0000\u0000\u00f0g\u0000\u0000\u00feg\u0000\u0000\fh\u0000\u0000 h\u0000\u00008h\u0000\u0000Dh\u0000\u0000Ph\u0000\u0000\\h\u0000\u0000rh\u0000\u0000zh\u0000\u0000\u0086h\u0000\u0000\u0092h\u0000\u0000\u00a6h\u0000\u0000\u00b6h\u0000\u00008l\u0000\u0000(l\u0000\u0000\u001cl\u0000\u0000\u0010l\u0000\u0000\u00fek\u0000\u0000>g\u0000\u0000.g\u0000\u0000\"g\u0000\u0000\u0016g\u0000\u0000\u0006g\u0000\u0000\u00f4f\u0000\u0000\u00e4f\u0000\u0000\u00d2f\u0000\u0000\u00c4f\u0000\u0000\u00b0f\u0000\u0000\u00a2f\u0000\u0000\u0094f\u0000\u0000~f\u0000\u0000\u00f0k\u0000\u0000Tl\u0000\u0000df\u0000\u0000\u00f2l\u0000\u0000\u00d6l\u0000\u0000\u00cal\u0000\u0000\u00bcl\u0000\u0000\u00acl\u0000\u0000\u00a0l\u0000\u0000\u008al\u0000\u0000tl\u0000\u0000hl\u0000\u0000\u00dck\u0000\u0000\u00c8k\u0000\u0000\u00b2k\u0000\u0000\u00a4k\u0000\u0000\u0090k\u0000\u0000\u0080k\u0000\u0000Lk\u0000\u0000bk\u0000\u0000pk\u0000\u0000\u0000\u0000\u0000\u0000fm\u0000\u0000\\\u0000\u0000\u0080\u0006j\u0000\u0000\u0000\u0000\u0000\u0000\u00f0e\u0000\u0000Nf\u0000\u0000Bf\u0000\u0000,f\u0000\u0000 f\u0000\u0000\u0016f\u0000\u0000\u0006f\u0000\u0000\u0000\u0000\u0000\u0000\u00d4h\u0000\u0000\u00f0h\u0000\u0000\u00fch\u0000\u0000\u00e4h\u0000\u0000\u0000\u0000\u0000\u0000\u00f0j\u0000\u0000\u00c8j\u0000\u0000\u00a6j\u0000\u0000\u0094j\u0000\u0000\u008aj\u0000\u0000tj\u0000\u0000Rj\u0000\u0000vm\u0000\u0000\fk\u0000\u0000\u001ck\u0000\u00002k\u0000\u0000\u00bej\u0000\u0000\u00d4j\u0000\u0000\u00cce\u0000\u0000\\j\u0000\u0000\u00b4e\u0000\u0000\u0082m\u0000\u0000\u0000\u0000\u0000\u0000$j\u0000\u00006j\u0000\u0000\u0000\u0000\u0000\u0000Unknown Device\u0000\u0000RBC Device\u0000\u0000Enclosure Device\u0000\u0000\u0000\u0000Array Device\u0000\u0000\u0000\u0000ASCIT8\u0000\u0000Comm. Device\u0000\u0000\u0000\u0000Media Changer\u0000\u0000\u0000Optical Disk\u0000\u0000\u0000\u0000Scanner Device\u0000\u0000CDROM Device\u0000\u0000\u0000\u0000WORM Device\u0000Processor Device\u0000\u0000\u0000\u0000Printer Device\u0000\u0000Tape Device\u0000Direct Access Device\u0000\u0000\u0000\u0000RAID\u0000\u0000\u0000\u0000USB\u0000FIBRE\u0000\u0000\u0000SSA\u0000IEEE 1394\u0000\u0000\u0000ATA\u0000ATAPI\u0000\u0000\u0000SCSI\u0000\u0000\u0000\u0000UNKNOWN\u0000 \u0000\t\u0000\"\u0000\u0000\u0000Sep 17 2015\u0000.bss\u0000\u0000\u0000\u0000\u00ff\u00ff\u00ff\u00ffI?@\u0000M?@\u0000`e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e6e\u0000\u0000\u008ca\u0000\u0000,e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Xf\u0000\u0000Xa\u0000\u0000\u0018d\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c6h\u0000\u0000D`\u0000\u0000Le\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ni\u0000\u0000xa\u0000\u0000\u00d4c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00f8i\u0000\u0000\u0000`\u0000\u0000\u001ce\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0018j\u0000\u0000Ha\u0000\u0000\u00a8e\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Hj\u0000\u0000\u00d4a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.m\u0000\u0000 m\u0000\u0000\u000em\u0000\u0000\u00fel\u0000\u0000\u00e2i\u0000\u0000\u00d2i\u0000\u0000\u00bei\u0000\u0000\u00a8i\u0000\u0000\u0096i\u0000\u0000|i\u0000\u0000ni\u0000\u0000Zi\u0000\u0000Fi\u0000\u00004i\u0000\u0000&i\u0000\u0000\u0016i\u0000\u0000\u0000\u0000\u0000\u0000Pg\u0000\u0000dg\u0000\u0000pg\u0000\u0000|g\u0000\u0000\u008ag\u0000\u0000\u009cg\u0000\u0000\u00a8g\u0000\u0000\u00bag\u0000\u0000\u00c8g\u0000\u0000\u00d6g\u0000\u0000\u00e2g\u0000\u0000\u00f0g\u0000\u0000\u00feg\u0000\u0000\fh\u0000\u0000 h\u0000\u00008h\u0000\u0000Dh\u0000\u0000Ph\u0000\u0000\\h\u0000\u0000rh\u0000\u0000zh\u0000\u0000\u0086h\u0000\u0000\u0092h\u0000\u0000\u00a6h\u0000\u0000\u00b6h\u0000\u00008l\u0000\u0000(l\u0000\u0000\u001cl\u0000\u0000\u0010l\u0000\u0000\u00fek\u0000\u0000>g\u0000\u0000.g\u0000\u0000\"g\u0000\u0000\u0016g\u0000\u0000\u0006g\u0000\u0000\u00f4f\u0000\u0000\u00e4f\u0000\u0000\u00d2f\u0000\u0000\u00c4f\u0000\u0000\u00b0f\u0000\u0000\u00a2f\u0000\u0000\u0094f\u0000\u0000~f\u0000\u0000\u00f0k\u0000\u0000Tl\u0000\u0000df\u0000\u0000\u00f2l\u0000\u0000\u00d6l\u0000\u0000\u00cal\u0000\u0000\u00bcl\u0000\u0000\u00acl\u0000\u0000\u00a0l\u0000\u0000\u008al\u0000\u0000tl\u0000\u0000hl\u0000\u0000\u00dck\u0000\u0000\u00c8k\u0000\u0000\u00b2k\u0000\u0000\u00a4k\u0000\u0000\u0090k\u0000\u0000\u0080k\u0000\u0000Lk\u0000\u0000bk\u0000\u0000pk\u0000\u0000\u0000\u0000\u0000\u0000fm\u0000\u0000\\\u0000\u0000\u0080\u0006j\u0000\u0000\u0000\u0000\u0000\u0000\u00f0e\u0000\u0000Nf\u0000\u0000Bf\u0000\u0000,f\u0000\u0000 f\u0000\u0000\u0016f\u0000\u0000\u0006f\u0000\u0000\u0000\u0000\u0000\u0000\u00d4h\u0000\u0000\u00f0h\u0000\u0000\u00fch\u0000\u0000\u00e4h\u0000\u0000\u0000\u0000\u0000\u0000\u00f0j\u0000\u0000\u00c8j\u0000\u0000\u00a6j\u0000\u0000\u0094j\u0000\u0000\u008aj\u0000\u0000tj\u0000\u0000Rj\u0000\u0000vm\u0000\u0000\fk\u0000\u0000\u001ck\u0000\u00002k\u0000\u0000\u00bej\u0000\u0000\u00d4j\u0000\u0000\u00cce\u0000\u0000\\j\u0000\u0000\u00b4e\u0000\u0000\u0082m\u0000\u0000\u0000\u0000\u0000\u0000$j\u0000\u00006j\u0000\u0000\u0000\u0000\u0000\u0000{\u0002RtlFreeUnicodeString\u0000\u0000\u0098\u0003RtlUpcaseUnicodeString\u0000\u0000ntdll.dll\u0000F\u0000PathFindExtensionA\u0000\u0000:\u0000PathCombineW\u0000\u0000\u000f\u0001StrChrA\u0000P\u0001StrTrimW\u0000\u0000G\u0000PathFindExtensionW\u0000\u00006\u0001StrRChrA\u0000\u0000\u0014\u0001StrChrW\u0000SHLWAPI.dll\u0000y\u0002GetSystemTimeAsFileTime\u0000\u00f9\u0004WaitForSingleObject\u0000\u00ce\u0002HeapDestroy\u0000\u00cd\u0002HeapCreate\u0000\u0000\u0015\u0002GetModuleHandleA\u0000\u0000\u0019\u0001ExitProcess\u0000\u0087\u0001GetCommandLineW\u0000C\u0001FindNextFileA\u00002\u0001FindFirstFileA\u0000\u0000\u0002\u0002GetLastError\u0000\u0000E\u0005lstrcmpiW\u0000\u00cb\u0002HeapAlloc\u0000\u0093\u0002GetTickCount\u0000\u0000E\u0002GetProcAddress\u0000\u0000\u00ac\u0004SetWaitableTimer\u0000\u0000?\u0005lstrcatW\u0000\u0000.\u0001FindClose\u0000\u00f2\u0001GetFileTime\u0000`\u0000CompareFileTime\u0000%\u0005WriteFile\u0000\u00a4\u0000CreateProcessA\u0000\u0000\u0088\u0000CreateFileA\u0000\u000f\u0004ResetEvent\u0000\u0000\u00cf\u0002HeapFree\u0000\u0000R\u0000CloseHandle\u0000\u00d6\u0000DeleteFileW\u0000\u008f\u0000CreateFileW\u0000\u0081\u0000CreateDirectoryW\u0000\u0000\u00bf\u0000CreateWaitableTimerA\u0000\u0000>\u0005lstrcatA\u0000\u0000H\u0005lstrcpyW\u0000\u0000Y\u0004SetEvent\u0000\u0000a\u0004SetFileAttributesW\u0000\u0000\u00b2\u0004Sleep\u0000N\u0005lstrlenW\u0000\u0000G\u0005lstrcpyA\u0000\u0000W\u0001FlushFileBuffers\u0000\u0000S\u0004SetEndOfFile\u0000\u0000\u0082\u0000CreateEventA\u0000\u0000KERNEL32.dll\u0000\u0000\u001f\u0001GetCursorInfo\u00003\u0003wsprintfW\u00002\u0003wsprintfA\u0000\u00f7\u0000FindWindowA\u0000USER32.dll\u0000\u00007\u0002RegCreateKeyA\u0000_\u0002RegOpenKeyA\u0000}\u0002RegSetValueExA\u0000\u0000\u00f7\u0001OpenProcessToken\u0000\u0000m\u0002RegQueryValueExA\u0000\u00000\u0002RegCloseKey\u0000X\u0001GetSidSubAuthorityCount\u0000~\u0002RegSetValueExW\u0000\u0000W\u0001GetSidSubAuthority\u0000\u0000n\u0002RegQueryValueExW\u0000\u0000`\u0002RegOpenKeyExA\u0000Z\u0001GetTokenInformation\u0000ADVAPI32.dll\u0000\u0000!\u0001ShellExecuteExW\u0000SHELL32.dll\u0000l\u0000CoUninitialize\u0000\u0000?\u0000CoInitializeEx\u0000\u0000ole32.dll\u0000F\u0005memcpy\u0000\u0000\u0091\u0001NtUnmapViewOfSection\u0000\u0000\u00ea\u0000NtMapViewOfSection\u0000\u0000H\u0005memset\u0000\u0000\u00aa\u0000NtCreateSection\u0000\u000b\u0003RtlNtStatusToDosError\u0000\u00e0\u0003ZwClose\u0000C\u0005mbstowcs\u0000\u0000i\u0004ZwQueryInformationProcess\u00000\u0001NtQuerySystemInformation\u0000\u0000H\u0004ZwOpenProcess\u0000I\u0004ZwOpenProcessToken\u0000\u0000k\u0004ZwQueryInformationToken\u0000\u00a9\u0000CreateRemoteThread\u0000\u0000\u0080\u0003OpenProcess\u0000\u00ba\u0004SuspendThread\u0000\u0013\u0004ResumeThread\u0000\u0000\u00f0\u0004VirtualProtectEx\u0000\u0000\u00a2\u0002GetVersion\u0000\u0000\u00c1\u0001GetCurrentProcessId\u0000\u000f\u0002GetLongPathNameW\u0000\u0000\u0082\u0002GetTempFileNameA\u0000\u0000\u00f0\u0001GetFileSize\u0000f\u0004SetFilePointer\u0000\u0000M\u0005lstrlenA\u0000\u0000\u00c0\u0003ReadFile\u0000\u0000\u0084\u0002GetTempPathA\u0000\u0000\u001d\u0001ExpandEnvironmentStringsW\u0000|\u0000CreateDirectoryA\u0000\u0000J\u0005lstrcpynA\u0000\u0013\u0002GetModuleFileNameA\u0000\u0000\u0014\u0002GetModuleFileNameW\u0000\u0000D\u0005lstrcmpiA\u0000\u00e9\u0004VirtualAlloc\u0000\u0000\u00ec\u0004VirtualFree\u0000H\u0003LocalFree\u0000\u001c\u0001ExpandEnvironmentStringsA\u0000A\u0005lstrcmpA\u0000\u0000N\u0002RegEnumKeyExA\u0000H\u0002RegDeleteValueW\u0000d\u0002RegOpenKeyW\u0000q\u0000ConvertStringSecurityDescriptorToSecurityDescriptorA\u0000\u0000\"\u0001ShellExecuteW\u0000\u0096\u0003RtlUnwind\u00005\u0001NtQueryVirtualMemory\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000098",
"base_address": "0x00406000"
},
"time": 1563501255.6561,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 59
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2280,
"buffer": "\u0003\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u000b\u0000\u0000\u0000\r\u0000\u0000\u0000kF\u00bf\u0088r4\u00a9\u00ba\u00e8\u0006\u00f3\u00bc\u009c\u0080\u0087\u00c4\u0004z]\u00f5\u0080\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000H\u008b\u00c4SUVWATAUAVAWH\u0083\u00ecHH\u008bQ0H\u008b\u00f9H\u0085\u00d2H\u0089P\u0010\u000f\u0084\u008d\u0002\u0000\u0000Hcr\u00bc\u0003?\u00ca\u00d4\u009a\u0081V\u00aeW\u0085\u001d{2\u00e7\u00b6j\u00af\u00d3\u00d7\u00bc\u0095%\u00c5\u000fL\u00c8B\u00ce\u00b3[#\u00eb\u00e2-v\u00a5\u00baq\u00c4\u0011\u00b3pO\u00c9\u00c6\u0017j\u00dfw?\f\u0015s\u008b\u00d4\u00f26\u00da\u00ae+Y\u00f0\u0007\/\u00ce\u0083@`\u0096\u001fx\u009a^\u00127\u00ce<\u00e4\u0097\u009a\u0087\u00c6\u00fc\u0016;\u0096Z\u00ad\u00b3{\u0095\u00e4\u00c4\u00a2-b6e\u00a8\u00ae\/\u00d9\u00f7\u0016\u00a0\u0091\u00b8\u00cdC\u00f6\u0082\u00dc\u00e4\u00c5\u00f5\u00bel\u00f9\u008f\r\u00b9!\u0018$\u001e\u0002\u001b\u00b2\u00dcT\u00c9\u00f9E\u0088W\u0003\u00cdF\u0019\u00e1)\u00ac+\u00f1\u0094\u009eM\u00c9\u00a4\u008e\u001fg\u00f1j\u00b9\u0006\f\u0013\u00ea\u00b7x\u00e3\u00ebq\u0002\u00f2XJ\u00cf\u00b9B\u00ba\u0089q\u00d6\u00d24G\u00e4z\u0010\u00c5\u0010\u00c8E\u0001\u0096!\u0090h\u00ff\u0001\u00b3>\u00bf\u00cf\u00c9\/,\u00e4\u0004dv\u0003\u00c2\u00acb\u0014\u0016\u00c6U\u00ba\u00d8\u0082\u0095\t\u008dj: Z\u0013\u00eb\u0010\u00bc\u0004\u00fe\u0096\u00c4p\u00ea\u00ef\u00d8;%\u008b\u0089\u00f9\u008d\u008d}\u00ca\u00f2\u00af\u00ed\u00c4f\t\u00b9\u0000\u00e0\u00fa|y\u00db\b\u00ce\u00ffi&T\u00a1\u00dfX\u00db(V\b9h\u00ffJ\u008aW\u00dc\u00f6\u001eM&\u00a1\u00e2\u00f5\u00e0j]\u00f5\u00da^O\u00a3\u008a\u0098\u009f\u00f58(\u0097pqqX:\u00cba\u00e3\t\u00bc\u00e5\u00d1Y\u00e4G\u00cd\u00ddC\u000e\u0098\u001c\u00f8\u00bf\u001eN\u00c9{\u00c4\u00ba\u00df\u0090\\w\u0083\u00ef\u0090\u00be\u00ab\u00f8a\u00de\u008b\u00f6\u00af\u009a\u0099E\u00aa\u00ca\u00c3\u0084\u001d\u0001\u00fb\u00f0\u009f\u00b4o?\u0087i\u00f1\u0083K`\u00f2[+\u0002\u00d8\u0096=\u00a4\u00d7\u00a6\u00b5^P\u00bf\u00e4\u0000Y\u00f8\u00169}+\u00b6\u00dd\u0019\u00f8M\u00cbr P\u0092\u0086\u00e6\u0018,\u00bc\u001fm\n\u00b6{gx\u0014OW\u00ff\u00f7:\u00c6\u00c7%\u00b9\u0094\u00d6@\u00c6a\u00c0.\u001fg\u00d9^\u00d3-g\u0011\"MA\u00c3\u00acW3A\u0018\u0092\u00e1\u0083\r(\u00f0A\u00db\u0098\u00e0c\n\u00c8\u00f2\u0010\u00cd\u0001<\u00cb+k\u0006\u00cd\u0090Xq-\u00ae\u00ec\u00a9\u00da\u00eb-r\u00b0\u00a5\u00e6c\u00d64\u00d2dr\u00c5\u00eb0\u0003\u0011\u00aa1\u00d7\u00e7\u00d3\u0019\u00c1f\u00fbbG\u001aM\u00ba\u00b0K\u00bca\u0002%\u00cfp\u00f7\u00b7\u00e8G\u00bf.\u0016\u0099\u0080\u00e2]\u00d6P\u0080\u00babKT\u00a6\u0002\u00cd\u0018(\u00d8>\u00dd\u00c9O_\u00d9#>\u0018\u00fa5+\u0016\u00a2\u00ab\u0093\u00eej\u00a6\u00dc\u00bc\bP|\u00b3\u00b3r\u0017\u00d1\u00b1\u00e8\u00e1\n\u00f0\tz`\u00bfrk\u00c7\/\u0004^\u000b\u0017x!x\u009e\u00b1\/-|\u00d7\u009a&\u00dc\u00ee\u00ee\u0096\u00ce|\u0014\u00c4\u00a7\u0095\u0007\u00d4PV\u00be \u00a2Q\u00da\u000e\u0018\u008ff\u00f7\u00df\u00ceo\u00a1\u00b8\u00a9\u00c7\u00a2\u0018\u0090\u00b6\u001c\u00cc\u0012z\u00ea\u0019\u00fah\u00a0\u00cejy\u0002\u001f:k\u00cac\u00c3\u00fd\u00a1\u00a0\u0080\u00bb\u00f8\u00f4q\u001e\u00ffAU~=q\u00db\u00a6\u00cahF9\u00aa\u00a4\u0084 \u00de6\u0083d\u00f6\f\u00bezM\u00042=\u00af\u00f1\u00db\u001d\u00acQ\u00ee_*[x\u0087\u0085B-XL\fV\u00d99\u00dc6\u00ef\u00f7$\u00eaS\u008ddf\u009aO\u0002\u008f1H\u00a5\u008aP*\u0095tBI\u0089%\u0084(-v\u009eJ\u00c9!\u008c%}}>L\u00a94\u00ac\u0012\u00fdV\u00bep)c\u00ac\u0094\u00fdm\u00be~)\u00bd\u00acd\u00fe\u00f5\u00bd\u0096-\u00a5\u00a8\u00b4\u00fd\u00f5\u00be\u00165\u00e5\u00a5t\u00f1\u00b5\u00a6\u0016\u0000\u00e5\u0096t\u0090\u00b5b\u0016\u00f8\u00e5\u00f0w,\u00b4*\u0017\u0098\u00e6Xq\f\u00b2J\u001a\u0018\u00fe\u0018i\u00cc\u00be\n)\u0018\u00cb\u0018\u00ad\u00cc\u00df\nG\u0018\u008f\u00184\u00e5F\u0018S\u0013D8\u00c3\u0014`\u00c5\u00cc\u001d!\u00a7\/M3\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000098",
"base_address": "0x00408000"
},
"time": 1563501255.6561,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 61
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "29f31b5023708055057f2f94c56f56e18aa4d662",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2280,
"buffer": "",
"process_handle": "0x00000098",
"base_address": "0x00409000"
},
"time": 1563501255.6561,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 62
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2280,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x00000098",
"base_address": "0x7efde008"
},
"time": 1563501255.9691,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 63
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000094",
"registers": {
"eip": 2008678852,
"esp": 2881688,
"edi": 0,
"eax": 4198518,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 2280
},
"time": 1563501255.9691,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 64
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000094",
"suspend_count": 1,
"process_identifier": 2280
},
"time": 1563501257.2811,
"tid": 2164,
"flags": {}
},
"pid": 2868,
"type": "call",
"cid": 65
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000e8",
"suspend_count": 1,
"process_identifier": 2280
},
"time": 1563501265.1406,
"tid": 2600,
"flags": {}
},
"pid": 2280,
"type": "call",
"cid": 188
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2456,
"thread_handle": "0x00000100",
"process_identifier": 2676,
"current_directory": "",
"filepath": "",
"track": 1,
"command_line": "C:\\Windows\\system32\\svchost.exe",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 67108868,
"process_handle": "0x00000104",
"inherit_handles": 0
},
"time": 1563501265.1716,
"tid": 2600,
"flags": {
"creation_flags": "CREATE_DEFAULT_ERROR_MODE|CREATE_SUSPENDED"
}
},
"pid": 2280,
"type": "call",
"cid": 210
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000100",
"suspend_count": 1,
"process_identifier": 2676
},
"time": 1563501265.8436,
"tid": 2600,
"flags": {}
},
"pid": 2280,
"type": "call",
"cid": 247
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000100",
"suspend_count": 1,
"process_identifier": 2676
},
"time": 1563501266.4996,
"tid": 2600,
"flags": {}
},
"pid": 2280,
"type": "call",
"cid": 250
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "601db896fbd3218d2dd0ad604b4194032b210bb2",
"api": "NtMapViewOfSection",
"return_value": 0,
"arguments": {
"section_handle": "0x0000010c",
"process_identifier": 2676,
"commit_size": 0,
"win32_protect": 64,
"buffer": "",
"process_handle": "0x00000104",
"allocation_type": 0,
"section_offset": 0,
"view_size": 565248,
"base_address": "0x00250000"
},
"time": 1563501266.6086,
"tid": 2600,
"flags": {
"win32_protect": "PAGE_EXECUTE_READWRITE",
"allocation_type": ""
}
},
"pid": 2280,
"type": "call",
"cid": 255
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000104",
"allocation_type": 12288,
"base_address": "0x002e0000"
},
"time": 1563501266.6246,
"tid": 2600,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2280,
"type": "call",
"cid": 280
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000100",
"suspend_count": 1,
"process_identifier": 2676
},
"time": 1563501269.1716,
"tid": 2600,
"flags": {}
},
"pid": 2280,
"type": "call",
"cid": 284
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000000000000a4",
"suspend_count": 1,
"process_identifier": 2676
},
"time": 1563501269.2339,
"tid": 2456,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 282
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000000000000d4",
"suspend_count": 1,
"process_identifier": 1788
},
"time": 1563501313.5939,
"tid": 2456,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 405
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtGetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000000000000d4"
},
"time": 1563501314.1409,
"tid": 2456,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 408
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "601db896fbd3218d2dd0ad604b4194032b210bb2",
"api": "NtMapViewOfSection",
"return_value": 0,
"arguments": {
"section_handle": "0x000000000000008c",
"process_identifier": 1788,
"commit_size": 0,
"win32_protect": 64,
"buffer": "",
"process_handle": "0x00000000000000d0",
"allocation_type": 0,
"section_offset": 0,
"view_size": 565248,
"base_address": "0x0000000006640000"
},
"time": 1563501314.1409,
"tid": 2456,
"flags": {
"win32_protect": "PAGE_EXECUTE_READWRITE",
"allocation_type": ""
}
},
"pid": 2676,
"type": "call",
"cid": 411
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1788,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000000000000d0",
"allocation_type": 12288,
"base_address": "0x0000000002910000"
},
"time": 1563501314.9219,
"tid": 2456,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2676,
"type": "call",
"cid": 426
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtGetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000000000000d4"
},
"time": 1563501314.9219,
"tid": 2456,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 427
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000000000000d4",
"registers": {
"r14": 0,
"r9": 2006935856,
"rcx": 0,
"rsi": 0,
"r10": 0,
"rbx": 0,
"rdi": 0,
"r11": 0,
"r8": 0,
"rdx": 2006935856,
"rip": 43057688,
"rbp": 0,
"r15": 0,
"r12": 0,
"rsp": 156302648,
"rax": 43057152,
"r13": 0
},
"process_identifier": 1788
},
"time": 1563501314.9219,
"tid": 2456,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 429
}
],
"references": [],
"name": "injection_runpe"
}
] Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.254194021225,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5342,
"time": 12.330597877502,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7186,
"time": 6.1615068912506,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7514,
"time": 4.1593978404999,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7842,
"time": 6.2064008712769,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8170,
"time": 4.6629209518433,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8498,
"time": 3.0521998405457,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8826,
"time": 4.2365779876709,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28236,
"time": 4.1788918972015,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36620,
"time": 6.2680678367615,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "e7b594ca5d0ee2ae5dfebc9b1d1ee8f6a41a4393fd915a619f2df60562d2d936",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "991660946aef30fbdf46106eab50aaeb082c66d95a3addf54b2192409e6695b7",
"irc": [],
"https_ex": []
}Screenshots
lib1g.exe removal instructions
The instructions below shows how to remove lib1g.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the lib1g.exe file for removal, restart your computer and scan it again to verify that lib1g.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate lib1g.exe in the scan result and tick the checkbox next to the lib1g.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate lib1g.exe in the scan result.
c:\downloads\lib1g.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the lib1g.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If lib1g.exe still remains in the scan result, proceed with the next step. If lib1g.exe is gone from the scan result you're done.
- If lib1g.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that lib1g.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 8ede3ace8c115bd3a4fd26bd23c35422 |
| SHA256 | 5b71b3b94c28409d7c4ef7cb39bfe83f4d32163dfcc1b528d18dd95e3c181fca |
Error Messages
These are some of the error messages that can appear related to lib1g.exe:
lib1g.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
lib1g.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
lib1g.exe has stopped working.
End Program - lib1g.exe. This program is not responding.
lib1g.exe is not a valid Win32 application.
lib1g.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with lib1g.exe?
To help other users, please let us know what you will do with lib1g.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.