What is outmake.exe?
outmake.exe is part of ScreensaverTexts and developed by News Corporation according to the outmake.exe version information.
outmake.exe's description is "Thickness Schemata Statistic"
outmake.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected outmake.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on outmake.exe:
| Property | Value |
|---|---|
| Product name | ScreensaverTexts |
| Company name | News Corporation |
| File description | Thickness Schemata Statistic |
| Original filename | ScreensaverTexts |
| Legal copyright | (c). All rights reserved. News Corporation |
| Private build | 7.1.85.192 |
| Product version | 7.1.85.192 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | ScreensaverTexts |
| Company name | News Corporation |
| File description | Thickness Schemata Statistic |
| Original filename | ScreensaverTexts |
| Legal copyright | (c). All rights reserved. News Corpo.. |
| Private build | 7.1.85.192 |
| Product version | 7.1.85.192 |
Digital signatures [?]
outmake.exe is not signed.
VirusTotal report
57 of the 73 anti-virus programs at VirusTotal detected the outmake.exe file. That's a 78% detection rate.
| Scanner | Detection Name |
|---|---|
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKD.12125004 |
| AegisLab | Trojan.Win32.Shade.4!c |
| AhnLab-V3 | Trojan/Win32.Shade.C2085383 |
| Alibaba | Ransom:Win32/Shade.c0fbce5d |
| ALYac | Trojan.Ransom.Shade |
| Antiy-AVL | Trojan[Ransom]/Win32.Shade |
| APEX | Malicious |
| Arcabit | Trojan.Generic.DB9034C |
| Avast | Win32:Trojan-gen |
| AVG | Win32:Trojan-gen |
| Avira | HEUR/AGEN.1030579 |
| BitDefender | Trojan.GenericKD.12125004 |
| CAT-QuickHeal | Trojan.Mauvaise.SL1 |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.13b442 |
| Cylance | Unsafe |
| Cyren | W32/Trojan.NTVB-0094 |
| DrWeb | Trojan.Encoder.13581 |
| eGambit | Generic.Malware |
| Emsisoft | Trojan.GenericKD.12125004 (B) |
| Endgame | malicious (high confidence) |
| ESET-NOD32 | Win32/Filecoder.Shade.B |
| F-Secure | Heuristic.HEUR/AGEN.1030579 |
| FireEye | Generic.mg.b22c19213b442604 |
| Fortinet | W32/Kryptik.FQML!tr |
| GData | Trojan.GenericKD.12125004 |
| Ikarus | Trojan.Win32.Crypt |
| Invincea | heuristic |
| Jiangmin | Trojan.Shade.jn |
| K7AntiVirus | Trojan ( 004b8aa51 ) |
| K7GW | Trojan ( 004b8aa51 ) |
| Kaspersky | Trojan-Ransom.Win32.Shade.nxp |
| MAX | malware (ai score=100) |
| MaxSecure | Trojan.Malware.11254919.susgen |
| McAfee | GenericRXCW-GH!B22C19213B44 |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.tc |
| Microsoft | Ransom:Win32/Troldesh.A |
| MicroWorld-eScan | Trojan.GenericKD.12125004 |
| NANO-Antivirus | Trojan.Win32.Shade.ertfea |
| Paloalto | generic.ml |
| Panda | Trj/Agent.JOU |
| Qihoo-360 | Win32/Trojan.Ransom.532 |
| Rising | Ransom.Shade!8.12CC (TFE:5:9UbOaVoevmH) |
| SentinelOne | DFI - Suspicious PE |
| Sophos | Troj/Ransom-EQB |
| Symantec | Ransom.Troldesh |
| Tencent | Win32.Trojan.Shade.Pbyq |
| TrendMicro | Possible_HPGen-38 |
| TrendMicro-HouseCall | Possible_HPGen-38 |
| VBA32 | Trojan-Ransom.Shade |
| VIPRE | Trojan.Win32.Generic!BT |
| ViRobot | Trojan.Win32.Z.Shade.1070080 |
| Webroot | W32.Trojan.GenKD |
| Yandex | Trojan.Shade! |
| Zillya | Trojan.Shade.Win32.659 |
| ZoneAlarm | Trojan-Ransom.Win32.Shade.nxp |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\lock",
"C:\\ProgramData\\Windows\\csrss.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\state.tmp"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.l3acm\\cFormatTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msadpcm\\cFilterTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.l3acm\\fdwSupport",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.imaadpcm\\cFilterTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msg711\\fdwSupport",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msgsm610\\aFormatTagCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msgsm610\\cFormatTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Client Server Runtime Subsystem",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msadpcm\\fdwSupport",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msadpcm\\aFormatTagCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.imaadpcm\\fdwSupport",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msadpcm\\cFormatTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.l3acm\\cFilterTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.l3acm\\aFormatTagCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msg711\\aFormatTagCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.imaadpcm\\cFormatTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msg711\\cFilterTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msgsm610\\fdwSupport",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.imaadpcm\\aFormatTagCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msgsm610\\cFilterTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xi",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msg711\\cFormatTags"
],
"dll_loaded": [
"kernel32",
"C:\\Windows\\SysWOW64\\l3codeca.acm",
"gdi32.dll",
"ADVAPI32.DLL",
"kernel32.dll",
"oleaut32.dll",
"netapi32.dll",
"C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll",
"USER32.DLL",
"C:\\Windows\\system32\\uxtheme.dll",
"msg711.acm",
"imaadp32.acm",
"KERNEL32.DLL",
"msadp32.acm",
"advapi32.dll",
"ole32.dll",
"CRYPTSP.dll",
"USER32.dll",
"NETAPI32.DLL",
"ADVAPI32.dll",
"OLEAUT32.dll",
"shell32",
"SHELL32.dll",
"msgsm32.acm",
"shell32.dll",
"rpcrt4.dll",
"SETUPAPI.dll",
"WS2_32.dll",
"user32.dll"
],
"file_opened": [
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"\\\\?\\PIPE\\wkssvc",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\state.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6fce63b2535f39c447c3a8aa7ab785d75607aedb118d758d22584118e4d068e1.bin",
"\\\\?\\PIPE\\srvsvc",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\Software\\USB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msgsm610",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Multimedia\\Audio Compression Manager\\Priority v4.00",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msadpcm",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Multimedia\\Audio Compression Manager\\MSACM",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AudioCompressionManager\\DriverCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.l3acm",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\MediaResources\\acm",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\SOFTWARE\\System32\\Configuration\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msg711",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.imaadpcm",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Multimedia\\Audio Compression Manager\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\System32\\Configuration\\"
],
"file_written": [
"\\\\?\\PIPE\\wkssvc",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\state.tmp",
"C:\\ProgramData\\Windows\\csrss.exe",
"\\\\?\\PIPE\\srvsvc"
],
"connects_ip": [
"128.31.0.39",
"171.25.193.9",
"127.0.0.1",
"86.59.21.38"
],
"file_exists": [
"C:\\ProgramData\\Windows\\"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\unverified-consensus",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-extrainfo",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-microdesc-consensus",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-descriptors",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-certs",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-microdescs.new",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-microdescs",
"C:\\Users\\cuck\\AppData\\Roaming\\tor\\geoip6",
"C:\\ProgramData\\System32\\xVersion",
"C:\\Users\\cuck\\AppData\\Roaming\\System32\\xVersion",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-consensus",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\router-stability",
"C:\\Users\\cuck\\AppData\\Roaming\\tor\\geoip"
],
"file_read": [
"\\\\?\\PIPE\\wkssvc",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6fce63b2535f39c447c3a8aa7ab785d75607aedb118d758d22584118e4d068e1.bin",
"\\\\?\\PIPE\\srvsvc"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msacm.msgsm610",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"\\rule",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msacm.msadpcm",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Multimedia\\Audio Compression Manager\\Priority v4.00\\Priority1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msacm.msg711",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Multimedia\\Audio Compression Manager\\MSACM\\NoPCMConverter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msacm.l3acm",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xVersion",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msacm.imaadpcm"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-extrainfo.new",
"C:\\Users\\cuck\\AppData\\Roaming\\tor\\torrc",
"C:\\Users\\cuck\\AppData\\Roaming\\tor\\torrc-defaults",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-descriptors.new",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\state"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\",
"C:\\ProgramData\\Windows\\"
]
}Dropped
[
{
"yara": [],
"sha1": "0270ed3b389c3126ba8b366e8ae4246a517ea9c6",
"name": "6fce63b2535f39c4_csrss.exe",
"filepath": "C:\\ProgramData\\Windows\\csrss.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "6fce63b2535f39c447c3a8aa7ab785d75607aedb118d758d22584118e4d068e1",
"urls": [],
"crc32": "B1C4FDA9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/874\/files\/6fce63b2535f39c4_csrss.exe",
"ssdeep": null,
"size": 1070080,
"sha512": "33e94cad045ed53ec33e6c96debfc35d919348f35aca937cff1cd8064ea7c0a2b5773ed708bc29107bc0e683729445bff4523c8cf17c17d11b8f9a413797bb0a",
"pids": [
1512
],
"md5": "b22c19213b4426042a2599aaea5b255c"
},
{
"yara": [],
"sha1": "9ffdee3274a67b47684cf13e7d54a4c03eb9b7a0",
"name": "8c7f2b4cbfaed07d_state",
"filepath": "c:\\users\\cuck\\appdata\\local\\temp\\6893a5d897\\state",
"type": "ASCII text, with CRLF line terminators",
"sha256": "8c7f2b4cbfaed07d7ffc9dcc15ea21d1ed62925355f4bb5ff29f81e988b29e56",
"urls": [],
"crc32": "89801590",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/874\/files\/8c7f2b4cbfaed07d_state",
"ssdeep": null,
"size": 199,
"sha512": "08f8c80cedbde5776ee96eef7ea42d4cbae6cf87b9b08ba0e83ee2ba878e8c0ed6829f0832304a54759e639f44a21253b44b2b450a89e513ec29246f8a06553e",
"pids": [
1512
],
"md5": "a14e702d8675d8e4d893dbaf950debc9"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\6fce63b2535f39c447c3a8aa7ab785d75607aedb118d758d22584118e4d068e1.bin",
"process_name": "6fce63b2535f39c447c3a8aa7ab785d75607aedb118d758d22584118e4d068e1.bin",
"pid": 1512,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\lock",
"C:\\ProgramData\\Windows\\csrss.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\state.tmp"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.l3acm\\cFormatTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msadpcm\\cFilterTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.l3acm\\fdwSupport",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.imaadpcm\\cFilterTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msg711\\fdwSupport",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msgsm610\\aFormatTagCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msgsm610\\cFormatTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Client Server Runtime Subsystem",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msadpcm\\fdwSupport",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msadpcm\\aFormatTagCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.imaadpcm\\fdwSupport",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msadpcm\\cFormatTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.l3acm\\cFilterTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.l3acm\\aFormatTagCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msg711\\aFormatTagCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.imaadpcm\\cFormatTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msg711\\cFilterTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msgsm610\\fdwSupport",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.imaadpcm\\aFormatTagCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msgsm610\\cFilterTags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xi",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msg711\\cFormatTags"
],
"dll_loaded": [
"kernel32",
"C:\\Windows\\SysWOW64\\l3codeca.acm",
"gdi32.dll",
"ADVAPI32.DLL",
"kernel32.dll",
"oleaut32.dll",
"netapi32.dll",
"C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll",
"USER32.DLL",
"C:\\Windows\\system32\\uxtheme.dll",
"msg711.acm",
"imaadp32.acm",
"KERNEL32.DLL",
"msadp32.acm",
"advapi32.dll",
"ole32.dll",
"CRYPTSP.dll",
"USER32.dll",
"NETAPI32.DLL",
"ADVAPI32.dll",
"OLEAUT32.dll",
"shell32",
"SHELL32.dll",
"msgsm32.acm",
"shell32.dll",
"rpcrt4.dll",
"SETUPAPI.dll",
"WS2_32.dll",
"user32.dll"
],
"file_opened": [
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"\\\\?\\PIPE\\wkssvc",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\state.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6fce63b2535f39c447c3a8aa7ab785d75607aedb118d758d22584118e4d068e1.bin",
"\\\\?\\PIPE\\srvsvc",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\Software\\USB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msgsm610",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Multimedia\\Audio Compression Manager\\Priority v4.00",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msadpcm",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Multimedia\\Audio Compression Manager\\MSACM",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AudioCompressionManager\\DriverCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.l3acm",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\MediaResources\\acm",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\SOFTWARE\\System32\\Configuration\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.msg711",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\AudioCompressionManager\\DriverCache\\msacm.imaadpcm",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Multimedia\\Audio Compression Manager\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\System32\\Configuration\\"
],
"file_written": [
"\\\\?\\PIPE\\wkssvc",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\state.tmp",
"C:\\ProgramData\\Windows\\csrss.exe",
"\\\\?\\PIPE\\srvsvc"
],
"connects_ip": [
"128.31.0.39",
"171.25.193.9",
"127.0.0.1",
"86.59.21.38"
],
"file_exists": [
"C:\\ProgramData\\Windows\\"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\unverified-consensus",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-extrainfo",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-microdesc-consensus",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-descriptors",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-certs",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-microdescs.new",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-microdescs",
"C:\\Users\\cuck\\AppData\\Roaming\\tor\\geoip6",
"C:\\ProgramData\\System32\\xVersion",
"C:\\Users\\cuck\\AppData\\Roaming\\System32\\xVersion",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-consensus",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\router-stability",
"C:\\Users\\cuck\\AppData\\Roaming\\tor\\geoip"
],
"file_read": [
"\\\\?\\PIPE\\wkssvc",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6fce63b2535f39c447c3a8aa7ab785d75607aedb118d758d22584118e4d068e1.bin",
"\\\\?\\PIPE\\srvsvc"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msacm.msgsm610",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"\\rule",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msacm.msadpcm",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Multimedia\\Audio Compression Manager\\Priority v4.00\\Priority1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msacm.msg711",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Multimedia\\Audio Compression Manager\\MSACM\\NoPCMConverter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msacm.l3acm",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xVersion",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32\\msacm.imaadpcm"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-extrainfo.new",
"C:\\Users\\cuck\\AppData\\Roaming\\tor\\torrc",
"C:\\Users\\cuck\\AppData\\Roaming\\tor\\torrc-defaults",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\cached-descriptors.new",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\state"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\6893A5D897\\",
"C:\\ProgramData\\Windows\\"
]
},
"first_seen": 1562550785.6562,
"ppid": 2892
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1562550785.375,
"ppid": 376
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1562550789.9062,
"tid": 2732,
"flags": {}
},
"pid": 1512,
"type": "call",
"cid": 13257
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 1,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1562550785.8282,
"tid": 2732,
"flags": {}
},
"pid": 1512,
"type": "call",
"cid": 214
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "This executable has a PDB path",
"severity": 1,
"marks": [
{
"category": "pdb_path",
"ioc": "C:\\Win\\overall\\ontimer\\performed\\Exab.pdb",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_pdb"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1562550789.9213,
"tid": 460,
"flags": {}
},
"pid": 1512,
"type": "call",
"cid": 13351
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 2,
"families": [],
"description": "The file contains an unknown PE resource name possibly indicative of a packer",
"severity": 1,
"marks": [
{
"category": "resource name",
"ioc": "BIN",
"type": "ioc",
"description": null
},
{
"category": "resource name",
"ioc": "PNG",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_unknown_resource_name"
},
{
"markcount": 0,
"families": [],
"description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
"severity": 2,
"marks": [],
"references": [],
"name": "dumped_buffer"
},
{
"markcount": 5,
"families": [],
"description": "Starts servers listening",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 1,
"stacktrace": [],
"api": "bind",
"return_value": 0,
"arguments": {
"ip_address": "127.0.0.1",
"socket": 492,
"port": 0
},
"time": 1562550792.0622,
"tid": 460,
"flags": {}
},
"pid": 1512,
"type": "call",
"cid": 21273
},
{
"call": {
"category": "network",
"status": 1,
"stacktrace": [],
"api": "listen",
"return_value": 0,
"arguments": {
"socket": 492,
"backlog": 1
},
"time": 1562550792.0622,
"tid": 460,
"flags": {}
},
"pid": 1512,
"type": "call",
"cid": 21276
},
{
"call": {
"category": "network",
"status": 1,
"stacktrace": [],
"api": "accept",
"return_value": 560,
"arguments": {
"ip_address": "127.0.0.1",
"socket": 492,
"port": 49195
},
"time": 1562550792.0622,
"tid": 460,
"flags": {}
},
"pid": 1512,
"type": "call",
"cid": 21280
},
{
"call": {
"category": "network",
"status": 1,
"stacktrace": [],
"api": "bind",
"return_value": 0,
"arguments": {
"ip_address": "127.0.0.1",
"socket": 492,
"port": 22626
},
"time": 1562550792.0622,
"tid": 460,
"flags": {}
},
"pid": 1512,
"type": "call",
"cid": 21288
},
{
"call": {
"category": "network",
"status": 1,
"stacktrace": [],
"api": "listen",
"return_value": 0,
"arguments": {
"socket": 492,
"backlog": 2147483647
},
"time": 1562550792.0622,
"tid": 460,
"flags": {}
},
"pid": 1512,
"type": "call",
"cid": 21289
}
],
"references": [],
"name": "network_bind"
},
{
"markcount": 533,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 2457600,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 8192,
"base_address": "0x02a00000"
},
"time": 1562550785.8282,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 230
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 204800,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02be0000"
},
"time": 1562550785.8282,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1512,
"type": "call",
"cid": 232
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x020d0000"
},
"time": 1562550788.7503,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12206
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.7652,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12211
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.7812,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12214
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.7963,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12218
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.8122,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12222
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.8282,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12226
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.8433,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12231
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.8433,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12235
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.8593,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12239
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.8753,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12243
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.8902,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12247
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.9062,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12251
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.9213,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12255
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.9372,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12259
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.9683,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12266
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550788.9843,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12272
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.0003,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12277
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.0152,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12281
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.0312,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12286
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.0463,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12290
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.0622,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12294
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.0782,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12298
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.0782,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12302
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.0933,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12307
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.1093,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12311
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.1253,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12315
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.3433,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12319
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.3593,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12323
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.3753,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12327
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.3902,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12331
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.4062,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12335
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.4213,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12339
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.4372,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12342
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.4532,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12346
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.4683,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12350
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.4843,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12354
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.5003,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12358
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.5152,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12362
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.5312,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12366
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.5463,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12371
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.5622,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12375
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.5782,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12379
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.5933,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12383
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.6093,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12387
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.6253,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12390
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.6402,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12394
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.6562,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12398
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1512,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x02030000"
},
"time": 1562550789.6713,
"tid": 2732,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1512,
"type": "call",
"cid": 12402
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 3,
"families": [],
"description": "Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "SearchProtocolHost.exe",
"snapshot_handle": "0x000001c4",
"process_identifier": 2340
},
"time": 1562550791.0003,
"tid": 460,
"flags": {}
},
"pid": 1512,
"type": "call",
"cid": 17070
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "6fce63b2535f39c447c3a8aa7ab785d75607aedb118d758d22584118e4d068e1.bin",
"snapshot_handle": "0x000001c4",
"process_identifier": 1512
},
"time": 1562550791.0003,
"tid": 460,
"flags": {}
},
"pid": 1512,
"type": "call",
"cid": 17071
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "Process32NextW",
"return_value": 1,
"arguments": {
"process_name": "SearchFilterHost.exe",
"snapshot_handle": "0x000001c4",
"process_identifier": 2800
},
"time": 1562550791.0003,
"tid": 460,
"flags": {}
},
"pid": 1512,
"type": "call",
"cid": 17072
}
],
"references": [],
"name": "injection_process_search"
},
{
"markcount": 2,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.9595333926304,
"section": {
"size_of_data": "0x000e1e00",
"virtual_address": "0x00027000",
"entropy": 7.9595333926304,
"name": ".rsrc",
"virtual_size": "0x001c7cec"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.8654214559387,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 1,
"families": [],
"description": "One or more of the buffers contains an embedded PE file",
"severity": 3,
"marks": [
{
"category": "buffer",
"ioc": "Buffer with sha1: 790ebde7858666f2e49c9775f938a4c85c94e618",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "dumped_buffer2"
},
{
"markcount": 1,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"type": "generic",
"reg_key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Client Server Runtime Subsystem",
"reg_value": "\"C:\\ProgramData\\Windows\\csrss.exe\""
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 1,
"families": [],
"description": "Installs Tor on the machine",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Roaming\\tor\\geoip",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "network_tor"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.0782170295715,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5226,
"time": 9.0940871238708,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7070,
"time": 3.0368411540985,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7398,
"time": 1.0496771335602,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7726,
"time": 3.0509099960327,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8054,
"time": 1.5877411365509,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8382,
"time": -0.096934795379639,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8710,
"time": 1.5644271373749,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28120,
"time": 1.0720930099487,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36504,
"time": 3.1413931846619,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "0a55d40680fffda535afab3454c9c6d9a93779420a6c702aa1052e45a0576fb2",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "420ab7a0f6f171a07df5931e03c60b610b42c2a17d4485b1725c03442560b2c7",
"irc": [],
"https_ex": []
}Screenshots
outmake.exe removal instructions
The instructions below shows how to remove outmake.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the outmake.exe file for removal, restart your computer and scan it again to verify that outmake.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate outmake.exe in the scan result and tick the checkbox next to the outmake.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate outmake.exe in the scan result.
c:\downloads\outmake.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the outmake.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If outmake.exe still remains in the scan result, proceed with the next step. If outmake.exe is gone from the scan result you're done.
- If outmake.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that outmake.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | b22c19213b4426042a2599aaea5b255c |
| SHA256 | 6fce63b2535f39c447c3a8aa7ab785d75607aedb118d758d22584118e4d068e1 |
Error Messages
These are some of the error messages that can appear related to outmake.exe:
outmake.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
outmake.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
Thickness Schemata Statistic has stopped working.
End Program - outmake.exe. This program is not responding.
outmake.exe is not a valid Win32 application.
outmake.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with outmake.exe?
To help other users, please let us know what you will do with outmake.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.