What is proton1.exe?
proton1.exe is part of Advanced SystemCare and developed by IObit according to the proton1.exe version information.
proton1.exe's description is "file monitor control module."
proton1.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected proton1.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on proton1.exe:
| Property | Value |
|---|---|
| Product name | Advanced SystemCare |
| Company name | IObit |
| File description | file monitor control module. |
| Internal name | filectl.dll |
| Original filename | filectl.dll |
| Legal copyright | © IObit. All rights reserved. |
| Legal trademark | IObit |
| Product version | 1.0.0.22 |
| File version | 1.0.0.22 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | Advanced SystemCare |
| Company name | IObit |
| File description | file monitor control module. |
| Internal name | filectl.dll |
| Original filename | filectl.dll |
| Legal copyright | © IObit. All rights reserved. |
| Legal trademark | IObit |
| Product version | 1.0.0.22 |
| File version | 1.0.0.22 |
Digital signatures [?]
proton1.exe is not signed.
VirusTotal report
40 of the 65 anti-virus programs at VirusTotal detected the proton1.exe file. That's a 62% detection rate.
| Scanner | Detection Name |
|---|---|
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKD.41115884 |
| AegisLab | Trojan.Win32.Generic.4!c |
| AhnLab-V3 | Downloader/Win32.Upatre.C2109614 |
| ALYac | Trojan.GenericKD.41115884 |
| Arcabit | Trojan.Generic.D27360EC |
| Avast | Win32:Trojan-gen |
| AVG | Win32:Trojan-gen |
| BitDefender | Trojan.GenericKD.41115884 |
| Bkav | W32.HfsAutoB. |
| CAT-QuickHeal | Trojan.Generic |
| Comodo | Malware@#1eu97k18copf5 |
| Cybereason | malicious.924e1f |
| Cyren | W32/Trojan.STUX-2447 |
| Emsisoft | Trojan.GenericKD.41115884 (B) |
| Endgame | malicious (high confidence) |
| ESET-NOD32 | a variant of Win32/Packed.Themida.APW |
| Fortinet | W32/Generic!tr |
| GData | Trojan.GenericKD.41115884 |
| Ikarus | Trojan.Win32.Themida |
| Invincea | heuristic |
| K7AntiVirus | Trojan ( 005362341 ) |
| K7GW | Trojan ( 005362341 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| Malwarebytes | Trojan.Dropper.Themida |
| MAX | malware (ai score=99) |
| McAfee | Artemis!09E491B959B8 |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.vc |
| Microsoft | Trojan:Win32/Occamy.C |
| MicroWorld-eScan | Trojan.GenericKD.41115884 |
| Paloalto | generic.ml |
| Panda | Trj/CI.A |
| Qihoo-360 | Win32/Trojan.2ff |
| Rising | Trojan.Generic!8.C3 (CLOUD) |
| SentinelOne | DFI - Suspicious PE |
| Sophos | Mal/Generic-S |
| Tencent | Trojan.Win32.Agent.vba |
| Trapmine | malicious.moderate.ml.score |
| TrendMicro-HouseCall | TROJ_GEN.F0C2C00CE19 |
| ZoneAlarm | HEUR:Trojan.Win32.Generic |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\ConsoleTracingMask"
],
"dll_loaded": [
"C:\\Windows\\System32\\mswsock.dll",
"urlmon.dll",
"kernel32",
"winmm.dll",
"DNSAPI.dll",
"DHCPCSVC.DLL",
"KERNEL32.dll",
"C:\\Windows\\system32\\napinsp.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"SspiCli.dll",
"WININET.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"RASMAN.DLL",
"ole32.dll",
"USER32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"wininet.dll",
"XmlLite.dll",
"ktmw32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"rpcrt4.dll",
"SHELL32.dll",
"C:\\Windows\\System32\\winrnr.dll",
"VERSION.dll",
"NTDLL",
"kernel32.dll",
"C:\\Windows\\SysWOW64\\oleaut32.dll",
"ADVAPI32.dll",
"NTDLL.dll",
"SETUPAPI.dll",
"WS2_32.dll",
"OLEAUT32.dll"
],
"file_opened": [
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe"
]
],
"connects_host": [
"167.86.88.2",
"iplogger.org"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RASMANCS",
"HKEY_LOCAL_MACHINE\\Hardware\\description\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32",
"HKEY_CURRENT_USER\\Software\\Wine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
"HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\ServiceHub_RASMANCS",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}",
"HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\ServiceHub.IdentityHost.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}",
"HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}"
],
"command_line": [
"t C:\\Users\\cuck\\AppData\\Local\\Temp\\1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"\"C:\\Windows\\System32\\schtasks.exe\" \/Create \/SC MINUTE \/MO 5 \/TN \"ServiceHub VSDetouredHost\" \/TR \"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe\" \/F",
"schtasks.exe \/Create \/SC MINUTE \/MO 5 \/TN \"ServiceHub VSDetouredHost\" \/TR \"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe\" \/F"
],
"resolves_host": [
"wpad",
"cuckpc"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty"
],
"mutex": [
"IESQMMUTEX_0_208",
"uebrthnutrlebnuloirbgnleruio"
],
"file_failed": [
"\\??\\NTICE",
"\\??\\SICE",
"\\??\\SIWVID"
],
"guid": [
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{2faba4c7-4da9-4013-9697-20cc3fd40f85}",
"{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}"
],
"file_read": [
"C:\\Windows\\System32\\ntdll.dll"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOwner",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\EnableConsoleTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASAPI32\\MaxFileSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASAPI32\\ConsoleTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASAPI32\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\Windows\\System32\\ras\\*.pbk",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.pbk"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty"
]
}Generic
[
{
"process_path": "C:\\Windows\\SysWOW64\\schtasks.exe",
"process_name": "schtasks.exe",
"pid": 3016,
"summary": {
"file_opened": [
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"guid": [
"{2faba4c7-4da9-4013-9697-20cc3fd40f85}",
"{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"ADVAPI32.dll",
"VERSION.dll",
"kernel32.dll",
"XmlLite.dll",
"SspiCli.dll"
]
},
"first_seen": 1597200788.578125,
"ppid": 2420
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe",
"process_name": "ServiceHub.IdentityHost.exe",
"pid": 816,
"summary": {
"guid": [
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\EnableFileTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\FileDirectory",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\ConsoleTracingMask"
],
"dll_loaded": [
"C:\\Windows\\System32\\mswsock.dll",
"urlmon.dll",
"kernel32",
"winmm.dll",
"DNSAPI.dll",
"DHCPCSVC.DLL",
"KERNEL32.dll",
"C:\\Windows\\system32\\napinsp.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"WININET.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"ole32.dll",
"USER32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"RASMAN.DLL",
"rtutils.dll",
"IPHLPAPI.DLL",
"wininet.dll",
"ktmw32.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"SHELL32.dll",
"C:\\Windows\\System32\\winrnr.dll",
"NTDLL",
"kernel32.dll",
"C:\\Windows\\SysWOW64\\oleaut32.dll",
"ADVAPI32.dll",
"NTDLL.dll",
"SETUPAPI.dll",
"WS2_32.dll"
],
"file_failed": [
"\\??\\NTICE",
"\\??\\SICE",
"\\??\\SIWVID"
],
"connects_host": [
"167.86.88.2"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Hardware\\description\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32",
"HKEY_CURRENT_USER\\Software\\Wine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
"HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\ServiceHub_RASMANCS",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}",
"HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\ServiceHub.IdentityHost.exe",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
"HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}",
"HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}"
],
"resolves_host": [
"wpad",
"cuckpc"
],
"mutex": [
"IESQMMUTEX_0_208",
"uebrthnutrlebnuloirbgnleruio"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"command_line": [
"\"C:\\Windows\\System32\\schtasks.exe\" \/Create \/SC MINUTE \/MO 5 \/TN \"ServiceHub VSDetouredHost\" \/TR \"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe\" \/F",
"schtasks.exe \/Create \/SC MINUTE \/MO 5 \/TN \"ServiceHub VSDetouredHost\" \/TR \"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe\" \/F"
],
"file_read": [
"C:\\Windows\\System32\\ntdll.dll"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASAPI32\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\RegisteredOwner",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\EnableConsoleTracing",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASAPI32\\MaxFileSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\MaxFileSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASAPI32\\ConsoleTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\ServiceHub_RASAPI32\\FileTracingMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
"C:\\Windows\\System32\\ras\\*.pbk",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.pbk"
]
},
"first_seen": 1597200788.796,
"ppid": 2420
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1597200787.53125,
"ppid": 376
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"process_name": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"pid": 2420,
"summary": {
"guid": [
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory"
],
"dll_loaded": [
"urlmon.dll",
"kernel32",
"winmm.dll",
"DHCPCSVC.DLL",
"KERNEL32.dll",
"C:\\Windows\\system32\\napinsp.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"WININET.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"ole32.dll",
"USER32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"RASMAN.DLL",
"rtutils.dll",
"IPHLPAPI.DLL",
"wininet.dll",
"ktmw32.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"NTDLL.dll",
"SHELL32.dll",
"C:\\Windows\\System32\\winrnr.dll",
"NTDLL",
"kernel32.dll",
"C:\\Windows\\SysWOW64\\oleaut32.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"SETUPAPI.dll",
"WS2_32.dll"
],
"file_failed": [
"\\??\\NTICE",
"\\??\\SICE",
"\\??\\SIWVID"
],
"file_copied": [
[
"C:\\Users\\cuck\\AppData\\Local\\Temp\\1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe"
]
],
"connects_host": [
"iplogger.org"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RASMANCS",
"HKEY_LOCAL_MACHINE\\Hardware\\description\\System",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32",
"HKEY_CURRENT_USER\\Software\\Wine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
"HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}",
"HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}",
"HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}"
],
"resolves_host": [
"cuckpc"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty"
],
"mutex": [
"uebrthnutrlebnuloirbgnleruio"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"C:\\Windows\\System32\\ntdll.dll",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"command_line": [
"t C:\\Users\\cuck\\AppData\\Local\\Temp\\1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"\"C:\\Windows\\System32\\schtasks.exe\" \/Create \/SC MINUTE \/MO 5 \/TN \"ServiceHub VSDetouredHost\" \/TR \"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe\" \/F",
"schtasks.exe \/Create \/SC MINUTE \/MO 5 \/TN \"ServiceHub VSDetouredHost\" \/TR \"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe\" \/F"
],
"file_read": [
"C:\\Windows\\System32\\ntdll.dll"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableConsoleTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileDirectory",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\MaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\FileTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\EnableFileTracing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASMANCS\\MaxFileSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RASAPI32\\ConsoleTracingMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty"
]
},
"first_seen": 1597200787.84375,
"ppid": 1268
},
{
"process_path": "C:\\Windows\\SysWOW64\\schtasks.exe",
"process_name": "schtasks.exe",
"pid": 2508,
"summary": {
"file_opened": [
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"guid": [
"{2faba4c7-4da9-4013-9697-20cc3fd40f85}",
"{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"ADVAPI32.dll",
"VERSION.dll",
"kernel32.dll",
"XmlLite.dll",
"SspiCli.dll"
]
},
"first_seen": 1597200789.546,
"ppid": 816
}
]Signatures
[
{
"markcount": 2,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1597200788.719125,
"tid": 964,
"flags": {}
},
"pid": 3016,
"type": "call",
"cid": 39
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1597200789.608,
"tid": 2628,
"flags": {}
},
"pid": 2508,
"type": "call",
"cid": 39
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 2,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1597200788.32775,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5436
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1597200789.327,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4852
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 2,
"families": [],
"description": "Command line console output was observed",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "SUCCESS: The scheduled task \"ServiceHub VSDetouredHost\" has successfully been created.\n",
"console_handle": "0x00000007"
},
"time": 1597200788.922125,
"tid": 964,
"flags": {}
},
"pid": 3016,
"type": "call",
"cid": 51
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "SUCCESS: The scheduled task \"ServiceHub VSDetouredHost\" has successfully been created.\n",
"console_handle": "0x00000007"
},
"time": 1597200789.655,
"tid": 2628,
"flags": {}
},
"pid": 2508,
"type": "call",
"cid": 51
}
],
"references": [],
"name": "console_output"
},
{
"markcount": 1,
"families": [],
"description": "Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)",
"severity": 1,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "recon_fingerprint"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1597200788.45275,
"tid": 1676,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5782
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 5,
"families": [],
"description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
"severity": 1,
"marks": [
{
"category": "section",
"ioc": " \\x00 ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": ".idata ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": " ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": "rslldxpq",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": "bsntmtgn",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_features"
},
{
"markcount": 242,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 9500892,
"edi": 0,
"eax": 1,
"ebp": 9500908,
"edx": 7675904,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"exception": {
"instruction_r": "fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x3450b9",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 3428537,
"address": "0x5650b9"
}
},
"time": 1597200787.95275,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 0
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500860,
"edi": 1975189736,
"eax": 2939288760,
"ebp": 3992825876,
"edx": 2228224,
"ebx": 2833245,
"esi": 4294942276,
"ecx": 1975386112
},
"exception": {
"instruction_r": "fb e9 1d f8 ff ff 57 e9 d5 fd ff ff 81 ec 04 00",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x8d5a5",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 578981,
"address": "0x2ad5a5"
}
},
"time": 1597200787.96875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 1
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500856,
"edi": 1975189736,
"eax": 28770,
"ebp": 3992825876,
"edx": 2808644,
"ebx": 2048351780,
"esi": 4294942276,
"ecx": 1975386112
},
"exception": {
"instruction_r": "fb 50 56 55 c7 04 24 82 b2 ee 3b 5e 81 c6 f5 d0",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x8e077",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 581751,
"address": "0x2ae077"
}
},
"time": 1597200787.96875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 2
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500860,
"edi": 1975189736,
"eax": 28770,
"ebp": 3992825876,
"edx": 2811418,
"ebx": 2048351780,
"esi": 240873,
"ecx": 0
},
"exception": {
"instruction_r": "fb 68 61 ee a3 26 89 14 24 e9 3c 02 00 00 31 d8",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x8de76",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 581238,
"address": "0x2ade76"
}
},
"time": 1597200787.96875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 3
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500860,
"edi": 2845247,
"eax": 28100,
"ebp": 3992825876,
"edx": 2799065,
"ebx": 307200,
"esi": 4377653,
"ecx": 3354263552
},
"exception": {
"instruction_r": "fb e9 cb f9 ff ff 52 ba 85 38 35 08 01 d0 5a 01",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x20673b",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2123579,
"address": "0x42673b"
}
},
"time": 1597200787.96875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 6
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500860,
"edi": 14543189,
"eax": 4294941836,
"ebp": 3992825876,
"edx": 2799065,
"ebx": 307200,
"esi": 4377653,
"ecx": 3354263552
},
"exception": {
"instruction_r": "fb 68 7f 7b 62 68 89 34 24 50 b8 cc 25 af 6f f7",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x206208",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2122248,
"address": "0x426208"
}
},
"time": 1597200787.96875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 7
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500856,
"edi": 4374055,
"eax": 33035,
"ebp": 3992825876,
"edx": 11731320,
"ebx": 4371509,
"esi": 460547179,
"ecx": 2008823930
},
"exception": {
"instruction_r": "fb 55 e9 70 02 00 00 2d 4c 07 30 6d e9 a3 fe ff",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x20c7c2",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2148290,
"address": "0x42c7c2"
}
},
"time": 1597200787.96875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 14
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500860,
"edi": 4407090,
"eax": 33035,
"ebp": 3992825876,
"edx": 11731320,
"ebx": 4371509,
"esi": 460547179,
"ecx": 2008823930
},
"exception": {
"instruction_r": "fb 51 b9 5e 0f f5 7f 52 e9 9c f9 ff ff 2d dc df",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x20c77c",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2148220,
"address": "0x42c77c"
}
},
"time": 1597200787.96875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 15
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500860,
"edi": 4377246,
"eax": 0,
"ebp": 3992825876,
"edx": 11731320,
"ebx": 4371509,
"esi": 50665,
"ecx": 2008823930
},
"exception": {
"instruction_r": "fb 81 ec 04 00 00 00 e9 17 fc ff ff 59 ff 37 e9",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x20c853",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2148435,
"address": "0x42c853"
}
},
"time": 1597200787.96875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 16
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500856,
"edi": 4394755,
"eax": 26908,
"ebp": 3992825876,
"edx": 11731320,
"ebx": 4371509,
"esi": 50665,
"ecx": 14288
},
"exception": {
"instruction_r": "fb 68 45 e1 db 6c e9 75 00 00 00 5c ff 34 0f 81",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x211385",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2167685,
"address": "0x431385"
}
},
"time": 1597200787.96875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 17
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500860,
"edi": 4421663,
"eax": 26908,
"ebp": 3992825876,
"edx": 202985,
"ebx": 4371509,
"esi": 50665,
"ecx": 4294943440
},
"exception": {
"instruction_r": "fb 57 89 34 24 57 55 bd 2a 9c 76 1f bf 7a d0 b2",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x2118fb",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2169083,
"address": "0x4318fb"
}
},
"time": 1597200787.96875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 18
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500852,
"edi": 11742568,
"eax": 1447909480,
"ebp": 3992825876,
"edx": 22104,
"ebx": 1975324853,
"esi": 4412220,
"ecx": 20
},
"exception": {
"instruction_r": "ed 64 8f 05 00 00 00 00 50 54 8b 04 24 83 c4 04",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x21ac84",
"instruction": "in eax, dx",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2206852,
"address": "0x43ac84"
}
},
"time": 1597200787.96875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 23
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500852,
"edi": 11742568,
"eax": 1,
"ebp": 3992825876,
"edx": 22104,
"ebx": 0,
"esi": 4412220,
"ecx": 20
},
"exception": {
"instruction_r": "0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x2178f2",
"address": "0x4378f2",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc000001d",
"offset": 2193650
}
},
"time": 1597200787.96875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 24
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500852,
"edi": 11742568,
"eax": 1447909480,
"ebp": 3992825876,
"edx": 22104,
"ebx": 2256917605,
"esi": 4412220,
"ecx": 10
},
"exception": {
"instruction_r": "ed 81 fb 68 58 4d 56 75 0a c7 85 3b 39 2d 12 01",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x21795a",
"instruction": "in eax, dx",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2193754,
"address": "0x43795a"
}
},
"time": 1597200787.96875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 25
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 0,
"eax": 9500820,
"ebp": 3992825876,
"edx": 4448212,
"ebx": 4448620,
"esi": 4448222,
"ecx": 2047056014
},
"exception": {
"instruction_r": "cd 01 eb 00 6a 00 52 e8 03 00 00 00 20 5a c3 5a",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x21dff4",
"instruction": "int 1",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000005",
"offset": 2220020,
"address": "0x43dff4"
}
},
"time": 1597200788.12475,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 2626
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500856,
"edi": 11742568,
"eax": 4449408,
"ebp": 3992825876,
"edx": 2130554612,
"ebx": 62497187,
"esi": 10,
"ecx": 15249
},
"exception": {
"instruction_r": "fb 2d fb e0 9f 6f 57 bf 6a b1 37 4f e9 86 00 00",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x21ec94",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2223252,
"address": "0x43ec94"
}
},
"time": 1597200788.12475,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 2627
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500860,
"edi": 2283,
"eax": 4452319,
"ebp": 3992825876,
"edx": 2130554612,
"ebx": 62497187,
"esi": 0,
"ecx": 15249
},
"exception": {
"instruction_r": "fb 81 ec 04 00 00 00 89 2c 24 56 c7 04 24 c3 14",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x21e83f",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2222143,
"address": "0x43e83f"
}
},
"time": 1597200788.12475,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 2628
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500860,
"edi": 2283,
"eax": 25597,
"ebp": 3992825876,
"edx": 1993082117,
"ebx": 4505570,
"esi": 0,
"ecx": 4463441
},
"exception": {
"instruction_r": "fb 29 d2 ff 34 1a ff 34 24 8b 3c 24 83 c4 04 53",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x226604",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2254340,
"address": "0x446604"
}
},
"time": 1597200788.12475,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 2629
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500860,
"edi": 2268199272,
"eax": 25597,
"ebp": 3992825876,
"edx": 4294944504,
"ebx": 4505570,
"esi": 0,
"ecx": 4463441
},
"exception": {
"instruction_r": "fb 57 c7 04 24 a2 21 39 6f e9 3b 00 00 00 40 e9",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x225deb",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2252267,
"address": "0x445deb"
}
},
"time": 1597200788.12475,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 2630
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500860,
"edi": 2798382,
"eax": 28034,
"ebp": 3992825876,
"edx": 6,
"ebx": 62497409,
"esi": 1975260176,
"ecx": 4544364
},
"exception": {
"instruction_r": "fb ba 5f 92 da 7d e9 03 01 00 00 81 c4 04 00 00",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x22f05c",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2289756,
"address": "0x44f05c"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5328
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500860,
"edi": 2798382,
"eax": 28034,
"ebp": 3992825876,
"edx": 0,
"ebx": 62497409,
"esi": 3314111826,
"ecx": 4519424
},
"exception": {
"instruction_r": "fb 68 85 dc de 5c 89 3c 24 bf 78 fc ff 6e 55 89",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x22f56b",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2291051,
"address": "0x44f56b"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5329
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500852,
"edi": 2798382,
"eax": 28792,
"ebp": 3992825876,
"edx": 4570231,
"ebx": 498294823,
"esi": 3314111826,
"ecx": 0
},
"exception": {
"instruction_r": "fb 68 1f 2b 4f 75 e9 57 04 00 00 b8 64 02 7e 08",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x234ce3",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2313443,
"address": "0x454ce3"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5331
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500852,
"edi": 0,
"eax": 28792,
"ebp": 3992825876,
"edx": 4544419,
"ebx": 498294823,
"esi": 3314111826,
"ecx": 84201
},
"exception": {
"instruction_r": "fb 81 ec 04 00 00 00 89 2c 24 c7 04 24 65 bd fb",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x234f75",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2314101,
"address": "0x454f75"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5332
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500852,
"edi": 0,
"eax": 25805,
"ebp": 3992825876,
"edx": 2130566132,
"ebx": 498294823,
"esi": 4586959,
"ecx": 3354263552
},
"exception": {
"instruction_r": "fb 55 bd 98 84 a3 5d 50 c7 04 24 c6 9a a3 5d e9",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x23a4d8",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2335960,
"address": "0x45a4d8"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5334
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500852,
"edi": 0,
"eax": 0,
"ebp": 3992825876,
"edx": 14827,
"ebx": 498294823,
"esi": 4564247,
"ecx": 3354263552
},
"exception": {
"instruction_r": "fb 53 68 ec 29 fe 6f 5b e9 e0 07 00 00 01 fb 81",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x2399cf",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2333135,
"address": "0x4599cf"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5335
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500848,
"edi": 3869061965,
"eax": 27425,
"ebp": 3992825876,
"edx": 4607399,
"ebx": 1975259640,
"esi": 4609132,
"ecx": 0
},
"exception": {
"instruction_r": "fb 81 c6 32 30 ab 75 52 ba df a7 77 15 83 ea 01",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x245914",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2382100,
"address": "0x465914"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5342
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500852,
"edi": 1347900752,
"eax": 27425,
"ebp": 3992825876,
"edx": 0,
"ebx": 1975259640,
"esi": 4612369,
"ecx": 0
},
"exception": {
"instruction_r": "fb 51 c7 04 24 21 4c 74 6d 89 1c 24 89 e3 81 c3",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x245f03",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2383619,
"address": "0x465f03"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5343
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 307207487,
"eax": 32012,
"ebp": 3992825876,
"edx": 2800249,
"ebx": 0,
"esi": 4689558,
"ecx": 4727461
},
"exception": {
"instruction_r": "fb 56 e9 4c 04 00 00 81 e2 ae b1 ff 7c 81 c2 6b",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x25a776",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2467702,
"address": "0x47a776"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5345
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 307207487,
"eax": 32012,
"ebp": 3992825876,
"edx": 2057122144,
"ebx": 0,
"esi": 0,
"ecx": 4698753
},
"exception": {
"instruction_r": "fb 81 ec 04 00 00 00 89 34 24 53 c7 04 24 8c 09",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x25afec",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2469868,
"address": "0x47afec"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5346
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500816,
"edi": 4699470,
"eax": 31755,
"ebp": 3992825876,
"edx": 1280715329,
"ebx": 4699895,
"esi": 4698782,
"ecx": 0
},
"exception": {
"instruction_r": "fb 81 c3 51 03 f1 5e 50 89 34 24 51 89 1c 24 89",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x25bafb",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2472699,
"address": "0x47bafb"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5347
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 4699470,
"eax": 31755,
"ebp": 3992825876,
"edx": 0,
"ebx": 4702698,
"esi": 12773714,
"ecx": 0
},
"exception": {
"instruction_r": "fb 55 51 89 04 24 53 e9 00 00 00 00 bb 4f 64 bf",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x25c068",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2474088,
"address": "0x47c068"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5348
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 4699470,
"eax": 31951,
"ebp": 3992825876,
"edx": 4735035,
"ebx": 4702698,
"esi": 12773714,
"ecx": 1195352537
},
"exception": {
"instruction_r": "fb e9 35 00 00 00 81 f3 e1 71 0d 7f c1 e3 07 e9",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x25c6f4",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2475764,
"address": "0x47c6f4"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5349
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 4699470,
"eax": 0,
"ebp": 3992825876,
"edx": 4705951,
"ebx": 322689,
"esi": 12773714,
"ecx": 1195352537
},
"exception": {
"instruction_r": "fb 68 d0 f3 1d 06 89 1c 24 e9 65 fc ff ff 5d 59",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x25c71a",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2475802,
"address": "0x47c71a"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5350
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 4699470,
"eax": 29520,
"ebp": 3992825876,
"edx": 4735896,
"ebx": 285568239,
"esi": 12773714,
"ecx": 1195352537
},
"exception": {
"instruction_r": "fb 52 89 04 24 53 bb a4 83 34 5c e9 08 01 00 00",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x25d6e3",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2479843,
"address": "0x47d6e3"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5351
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 4699470,
"eax": 605849936,
"ebp": 3992825876,
"edx": 4709340,
"ebx": 285568239,
"esi": 12773714,
"ecx": 0
},
"exception": {
"instruction_r": "fb 57 bf 11 8f 27 5d 56 89 3c 24 83 ec 04 89 2c",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x25d4e9",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2479337,
"address": "0x47d4e9"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5352
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500816,
"edi": 4730824,
"eax": 32523,
"ebp": 3992825876,
"edx": 4730047,
"ebx": 2812327,
"esi": 17473184,
"ecx": 1983578254
},
"exception": {
"instruction_r": "fb e9 86 00 00 00 5f 83 c4 04 c1 ef 05 81 ef a5",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x2633cb",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2503627,
"address": "0x4833cb"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5354
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 4763347,
"eax": 32523,
"ebp": 3992825876,
"edx": 4730047,
"ebx": 2812327,
"esi": 17473184,
"ecx": 1983578254
},
"exception": {
"instruction_r": "fb 56 89 e6 81 c6 04 00 00 00 83 ee 04 87 34 24",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x263113",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2502931,
"address": "0x483113"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5355
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 4733471,
"eax": 79593,
"ebp": 3992825876,
"edx": 4730047,
"ebx": 0,
"esi": 17473184,
"ecx": 1983578254
},
"exception": {
"instruction_r": "fb 56 89 e6 81 c6 04 00 00 00 81 ee 04 00 00 00",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x2638a2",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2504866,
"address": "0x4838a2"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5356
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500816,
"edi": 4733471,
"eax": 30550,
"ebp": 3992825876,
"edx": 1691714354,
"ebx": 1648168993,
"esi": 4741358,
"ecx": 1983578254
},
"exception": {
"instruction_r": "fb 57 89 e7 e9 d7 fe ff ff 87 04 24 e9 56 00 00",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x266157",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2515287,
"address": "0x486157"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5357
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 4733471,
"eax": 0,
"ebp": 3992825876,
"edx": 1691714354,
"ebx": 1648168993,
"esi": 4744216,
"ecx": 3939837675
},
"exception": {
"instruction_r": "fb 50 68 55 7d 01 24 89 34 24 50 52 ba c2 f0 ff",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x265ee8",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2514664,
"address": "0x485ee8"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5358
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 1488713776,
"eax": 4776302,
"ebp": 3992825876,
"edx": 81129,
"ebx": 4294939972,
"esi": 4745238,
"ecx": 26646
},
"exception": {
"instruction_r": "fb 56 e9 32 f9 ff ff 57 f7 14 24 ff 34 24 5f e9",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x26735e",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2519902,
"address": "0x48735e"
}
},
"time": 1597200788.29675,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5359
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500816,
"edi": 4796685,
"eax": 26108,
"ebp": 3992825876,
"edx": 4820303,
"ebx": 4796653,
"esi": 4796649,
"ecx": 3354263552
},
"exception": {
"instruction_r": "fb 55 89 e5 e9 30 03 00 00 89 04 24 b8 04 00 00",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x279453",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2593875,
"address": "0x499453"
}
},
"time": 1597200788.31275,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5380
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 4796685,
"eax": 26108,
"ebp": 3992825876,
"edx": 4846411,
"ebx": 4796653,
"esi": 4796649,
"ecx": 3354263552
},
"exception": {
"instruction_r": "fb 56 c7 04 24 0a 3e e5 7e 89 04 24 c7 04 24 7e",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x278dd3",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2592211,
"address": "0x498dd3"
}
},
"time": 1597200788.31275,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5381
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 27584848,
"eax": 26108,
"ebp": 3992825876,
"edx": 4823215,
"ebx": 4796653,
"esi": 0,
"ecx": 3354263552
},
"exception": {
"instruction_r": "fb 53 89 2c 24 89 3c 24 e9 eb fb ff ff 5e 29 f7",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x2793d1",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2593745,
"address": "0x4993d1"
}
},
"time": 1597200788.31275,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5382
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 27584848,
"eax": 27565,
"ebp": 3992825876,
"edx": 2120715936,
"ebx": 4796653,
"esi": 4864433,
"ecx": 1276295382
},
"exception": {
"instruction_r": "fb 81 ec 04 00 00 00 e9 3b f6 ff ff 81 ef e2 02",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x27dc00",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2612224,
"address": "0x49dc00"
}
},
"time": 1597200788.31275,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5383
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 27584848,
"eax": 3988948584,
"ebp": 3992825876,
"edx": 0,
"ebx": 4796653,
"esi": 4840557,
"ecx": 1276295382
},
"exception": {
"instruction_r": "fb 81 ec 04 00 00 00 89 34 24 68 23 f6 ff 57 ff",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x27d0b8",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2609336,
"address": "0x49d0b8"
}
},
"time": 1597200788.31275,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5384
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 4893813,
"eax": 32075,
"ebp": 3992825876,
"edx": 2130566132,
"ebx": 3345673713,
"esi": 4937997,
"ecx": 3354263552
},
"exception": {
"instruction_r": "fb 50 51 e9 34 00 00 00 b9 55 19 7f 77 ba 0d ba",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x28e1fc",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2679292,
"address": "0x4ae1fc"
}
},
"time": 1597200788.32775,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5437
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 0,
"eax": 32075,
"ebp": 3992825876,
"edx": 2130566132,
"ebx": 3345673713,
"esi": 4908493,
"ecx": 322689
},
"exception": {
"instruction_r": "fb 51 50 e9 99 fe ff ff bf 51 05 10 02 29 7c 24",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x28dfd3",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2678739,
"address": "0x4adfd3"
}
},
"time": 1597200788.32775,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5438
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 0,
"eax": 25663,
"ebp": 3992825876,
"edx": 11730944,
"ebx": 920970470,
"esi": 4963900,
"ecx": 2008823930
},
"exception": {
"instruction_r": "fb e9 38 04 00 00 be 04 00 00 00 e9 bd 04 00 00",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x295bec",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2710508,
"address": "0x4b5bec"
}
},
"time": 1597200788.32775,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5443
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500820,
"edi": 4294943972,
"eax": 25663,
"ebp": 3992825876,
"edx": 11730944,
"ebx": 2298801283,
"esi": 4963900,
"ecx": 2008823930
},
"exception": {
"instruction_r": "fb 56 e9 d9 fc ff ff ba 04 00 00 00 01 d0 5a 57",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x295d9c",
"instruction": "sti",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2710940,
"address": "0x4b5d9c"
}
},
"time": 1597200788.32775,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5444
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 64,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77c2f000"
},
"time": 1597200788.34375,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2420,
"type": "call",
"cid": 5496
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77ba0000"
},
"time": 1597200788.34375,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2420,
"type": "call",
"cid": 5498
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 151552,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x00221000"
},
"time": 1597200788.37475,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2420,
"type": "call",
"cid": 5586
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00800000"
},
"time": 1597200788.39075,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5619
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00990000"
},
"time": 1597200788.39075,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5620
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009a0000"
},
"time": 1597200788.39075,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5621
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009b0000"
},
"time": 1597200788.39075,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5622
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009c0000"
},
"time": 1597200788.39075,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5623
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a60000"
},
"time": 1597200788.39075,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5624
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a70000"
},
"time": 1597200788.39075,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5625
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a80000"
},
"time": 1597200788.39075,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5628
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a90000"
},
"time": 1597200788.39075,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5629
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00aa0000"
},
"time": 1597200788.39075,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5630
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00ab0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5632
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00ac0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5634
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00ad0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5635
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00ae0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5639
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00af0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5641
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00b00000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5642
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00b10000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5643
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00b20000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5644
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00dc0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5646
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00dd0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5653
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009c0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5655
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00de0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5656
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009c0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5658
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009c0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5660
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009c0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5662
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009c0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5664
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009c0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5666
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2420,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009c0000"
},
"time": 1597200788.40575,
"tid": 2460,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2420,
"type": "call",
"cid": 5668
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77c2f000"
},
"time": 1597200789.343,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 4912
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77ba0000"
},
"time": 1597200789.343,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 4914
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 151552,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x00d71000"
},
"time": 1597200789.374,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 5006
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x005d0000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5039
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00be0000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5040
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00bf0000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5041
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00c00000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5042
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00c10000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5043
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00c20000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5044
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00c30000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5045
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00c40000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5048
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00c50000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5049
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00c60000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5050
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00c70000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5051
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00c80000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5053
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00c90000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5055
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00ca0000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5056
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00cb0000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5060
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00cc0000"
},
"time": 1597200789.39,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 5062
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "A process attempted to delay the analysis task.",
"severity": 2,
"marks": [
{
"type": "generic",
"description": "ServiceHub.IdentityHost.exe tried to sleep 244 seconds, actually delayed analysis time by 244 seconds"
}
],
"references": [],
"name": "antisandbox_sleep"
},
{
"markcount": 2,
"families": [],
"description": "Creates a suspicious process",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "\"C:\\Windows\\System32\\schtasks.exe\" \/Create \/SC MINUTE \/MO 5 \/TN \"ServiceHub VSDetouredHost\" \/TR \"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe\" \/F",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "schtasks.exe \/Create \/SC MINUTE \/MO 5 \/TN \"ServiceHub VSDetouredHost\" \/TR \"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe\" \/F",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "suspicious_process"
},
{
"markcount": 2,
"families": [],
"description": "A process created a hidden window",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "ShellExecuteExW",
"return_value": 1,
"arguments": {
"parameters": "\/Create \/SC MINUTE \/MO 5 \/TN \"ServiceHub VSDetouredHost\" \/TR \"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe\" \/F",
"filepath": "schtasks.exe",
"filepath_r": "schtasks.exe",
"show_type": 0
},
"time": 1597200788.46875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5830
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "ShellExecuteExW",
"return_value": 1,
"arguments": {
"parameters": "\/Create \/SC MINUTE \/MO 5 \/TN \"ServiceHub VSDetouredHost\" \/TR \"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe\" \/F",
"filepath": "schtasks.exe",
"filepath_r": "schtasks.exe",
"show_type": 0
},
"time": 1597200789.452,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 5231
}
],
"references": [],
"name": "stealth_window"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "GetAdaptersAddresses",
"return_value": 111,
"arguments": {
"flags": 0,
"family": 0
},
"time": 1597200788.54675,
"tid": 2492,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 6170
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 5,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.984651281867929,
"section": {
"size_of_data": "0x00024c00",
"virtual_address": "0x00001000",
"entropy": 7.984651281867929,
"name": " \\x00 ",
"virtual_size": "0x0004b000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 7.986317631664333,
"section": {
"size_of_data": "0x00034e00",
"virtual_address": "0x0004c000",
"entropy": 7.986317631664333,
"name": ".rsrc",
"virtual_size": "0x0003de4e"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 7.916841912250282,
"section": {
"size_of_data": "0x001eca00",
"virtual_address": "0x00345000",
"entropy": 7.916841912250282,
"name": "rslldxpq",
"virtual_size": "0x001ed000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 7.279631173479876,
"section": {
"size_of_data": "0x00000200",
"virtual_address": "0x00532000",
"entropy": 7.279631173479876,
"name": "bsntmtgn",
"virtual_size": "0x00001000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.9995709075305729,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 1,
"families": [],
"description": "Expresses interest in specific running processes",
"severity": 2,
"marks": [
{
"category": "process",
"ioc": "system",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "process_interest"
},
{
"markcount": 2,
"families": [],
"description": "Uses Windows utilities for basic Windows functionality",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "\"C:\\Windows\\System32\\schtasks.exe\" \/Create \/SC MINUTE \/MO 5 \/TN \"ServiceHub VSDetouredHost\" \/TR \"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe\" \/F",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "schtasks.exe \/Create \/SC MINUTE \/MO 5 \/TN \"ServiceHub VSDetouredHost\" \/TR \"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe\" \/F",
"type": "ioc",
"description": null
}
],
"references": [
"http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
],
"name": "uses_windows_utilities"
},
{
"markcount": 3,
"families": [],
"description": "Checks for the presence of known devices from debuggers and forensic tools",
"severity": 3,
"marks": [
{
"category": "file",
"ioc": "\\??\\SICE",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "\\??\\SIWVID",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "\\??\\NTICE",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antidbg_devices"
},
{
"markcount": 34,
"families": [],
"description": "Checks for the presence of known windows from debuggers and forensic tools",
"severity": 3,
"marks": [
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1597200788.31275,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5368
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1597200788.31275,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5369
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1597200788.31275,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5370
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1597200788.32775,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5445
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1597200788.32775,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5445
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "File Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1597200788.32775,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5446
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1597200788.32775,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5447
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Process Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1597200788.32775,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5448
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "RegmonClass",
"window_name": ""
},
"time": 1597200788.32775,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5459
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "RegmonClass",
"window_name": ""
},
"time": 1597200788.32775,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5459
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Registry Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1597200788.32775,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5460
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "18467-41",
"window_name": ""
},
"time": 1597200788.32775,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5461
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1597200788.37475,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5572
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1597200788.37475,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5572
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "File Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1597200788.37475,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5573
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1597200788.37475,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5574
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Process Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1597200788.37475,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 5575
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "OLLYDBG",
"window_name": ""
},
"time": 1597200789.312,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4784
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "GBDYLLO",
"window_name": ""
},
"time": 1597200789.312,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4785
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": 0,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "pediy06",
"window_name": ""
},
"time": 1597200789.312,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4786
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1597200789.327,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4861
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1597200789.327,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4861
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "File Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1597200789.327,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4862
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1597200789.327,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4863
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Process Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1597200789.327,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4864
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "RegmonClass",
"window_name": ""
},
"time": 1597200789.327,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4875
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "RegmonClass",
"window_name": ""
},
"time": 1597200789.327,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4875
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Registry Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1597200789.327,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4876
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "18467-41",
"window_name": ""
},
"time": 1597200789.327,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4877
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1597200789.358,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4992
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "FilemonClass",
"window_name": ""
},
"time": 1597200789.358,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4992
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "File Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1597200789.358,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4993
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "PROCMON_WINDOW_CLASS",
"window_name": ""
},
"time": 1597200789.374,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4994
},
{
"call": {
"category": "ui",
"status": 0,
"stacktrace": [],
"last_error": 126,
"nt_status": -1073741515,
"api": "FindWindowA",
"return_value": 0,
"arguments": {
"class_name": "#0",
"window_name": "Process Monitor - Sysinternals: www.sysinternals.com"
},
"time": 1597200789.374,
"tid": 2256,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 4995
}
],
"references": [],
"name": "antidbg_windows"
},
{
"markcount": 2,
"families": [],
"description": "Checks the version of Bios, possibly for anti-virtualization",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_generic_bios"
},
{
"markcount": 2,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"category": "cmdline",
"ioc": "\"C:\\Windows\\System32\\schtasks.exe\" \/Create \/SC MINUTE \/MO 5 \/TN \"ServiceHub VSDetouredHost\" \/TR \"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe\" \/F",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "schtasks.exe \/Create \/SC MINUTE \/MO 5 \/TN \"ServiceHub VSDetouredHost\" \/TR \"C:\\Users\\cuck\\AppData\\Local\\JaxxLiberty\\ServiceHub.IdentityHost.exe\" \/F",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 5,
"families": [],
"description": "Sets or modifies WPAD proxy autoconfiguration file for traffic interception",
"severity": 3,
"marks": [
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x00000444",
"value": 1,
"regkey_r": "WpadDecisionReason",
"reg_type": 4,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason"
},
"time": 1597200822.14,
"tid": 2984,
"flags": {
"reg_type": "REG_DWORD"
}
},
"pid": 816,
"type": "call",
"cid": 6139
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x00000444",
"value": "\u00b0,\u00faH\u0083p\u00d6\u0001",
"regkey_r": "WpadDecisionTime",
"reg_type": 3,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime"
},
"time": 1597200822.14,
"tid": 2984,
"flags": {
"reg_type": "REG_BINARY"
}
},
"pid": 816,
"type": "call",
"cid": 6140
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExA",
"return_value": 0,
"arguments": {
"key_handle": "0x00000444",
"value": 3,
"regkey_r": "WpadDecision",
"reg_type": 4,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision"
},
"time": 1597200822.14,
"tid": 2984,
"flags": {
"reg_type": "REG_DWORD"
}
},
"pid": 816,
"type": "call",
"cid": 6141
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExW",
"return_value": 0,
"arguments": {
"key_handle": "0x00000444",
"value": "Unidentified network",
"regkey_r": "WpadNetworkName",
"reg_type": 1,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName"
},
"time": 1597200822.14,
"tid": 2984,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 816,
"type": "call",
"cid": 6142
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegSetValueExW",
"return_value": 0,
"arguments": {
"key_handle": "0x00000440",
"value": "{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
"regkey_r": "WpadLastNetwork",
"reg_type": 1,
"regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork"
},
"time": 1597200822.171,
"tid": 2984,
"flags": {
"reg_type": "REG_SZ"
}
},
"pid": 816,
"type": "call",
"cid": 6211
}
],
"references": [],
"name": "modifies_proxy_wpad"
},
{
"markcount": 1,
"families": [],
"description": "Detects VirtualBox through the presence of a registry key",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_vbox_keys"
},
{
"markcount": 1,
"families": [],
"description": "Detects VMWare through the in instruction feature",
"severity": 3,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 9500852,
"edi": 11742568,
"eax": 1447909480,
"ebp": 3992825876,
"edx": 22104,
"ebx": 1975324853,
"esi": 4412220,
"ecx": 20
},
"exception": {
"instruction_r": "ed 64 8f 05 00 00 00 00 50 54 8b 04 24 83 c4 04",
"symbol": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0+0x21ac84",
"instruction": "in eax, dx",
"module": "1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0.bin",
"exception_code": "0xc0000096",
"offset": 2206852,
"address": "0x43ac84"
}
},
"time": 1597200787.96875,
"tid": 2460,
"flags": {}
},
"pid": 2420,
"type": "call",
"cid": 23
}
],
"references": [],
"name": "antivm_vmware_in_instruction"
},
{
"markcount": 1,
"families": [],
"description": "Detects the presence of Wine emulator",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Wine",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antiemu_wine"
}
]Yara
[
{
"meta": {
"description": "Possibly employs anti-virtualization techniques",
"author": "nex"
},
"name": "vmdetect",
"offsets": {
"virtualpc": [
[
1251013,
0
]
]
},
"strings": [
"Dz8HCw=="
]
}
]Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.2302021980285645,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5990,
"time": 12.229426145553589,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7834,
"time": 36.947941064834595,
"dport": 5355,
"sport": 49840
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8154,
"time": 5.938132047653198,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8474,
"time": 4.164254188537598,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8802,
"time": 6.177103042602539,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9130,
"time": 4.671109199523926,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9458,
"time": 3.062939167022705,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9786,
"time": 6.201244115829468,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 10114,
"time": 4.237558126449585,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 29524,
"time": 4.185533046722412,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 37908,
"time": 6.29671311378479,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "47411f74c689987406165217b98fb07587fbc896c2f3c4a02d8ca9c926ef2ce0",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "90a225d1948f1ca9dabd0103b13221f605147b351f37e012e352ecd2aec0b9cc",
"irc": [],
"https_ex": []
}Screenshots
proton1.exe removal instructions
The instructions below shows how to remove proton1.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the proton1.exe file for removal, restart your computer and scan it again to verify that proton1.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate proton1.exe in the scan result and tick the checkbox next to the proton1.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate proton1.exe in the scan result.
c:\downloads\proton1.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the proton1.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If proton1.exe still remains in the scan result, proceed with the next step. If proton1.exe is gone from the scan result you're done.
- If proton1.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that proton1.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 09e491b959b8a923a3e0929f80648a7d |
| SHA256 | 1e54bd0391f64e1d9366a5fec2b8120c5327451d194a5550080bfb06b0899af0 |
Error Messages
These are some of the error messages that can appear related to proton1.exe:
proton1.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
proton1.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
file monitor control module. has stopped working.
End Program - proton1.exe. This program is not responding.
proton1.exe is not a valid Win32 application.
proton1.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with proton1.exe?
To help other users, please let us know what you will do with proton1.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.