What is OSArmorDevSvc.exe?
OSArmorDevSvc.exe is part of NoVirusThanks OSArmor Service and developed by NoVirusThanks Company Srl according to the OSArmorDevSvc.exe version information.
OSArmorDevSvc.exe's description is "NoVirusThanks OSArmor Service"
OSArmorDevSvc.exe is digitally signed by NoVirusThanks Company Srl.
OSArmorDevSvc.exe is usually located in the 'C:\Program Files\NoVirusThanks\OSArmorDevSvc\' folder.
Some of the anti-virus scanners at VirusTotal detected OSArmorDevSvc.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on OSArmorDevSvc.exe:
| Property | Value |
|---|---|
| Product name | NoVirusThanks OSArmor Service |
| Company name | NoVirusThanks Company Srl |
| File description | NoVirusThanks OSArmor Service |
| Comments | NoVirusThanks OSArmor Service |
| Legal copyright | NoVirusThanks Company Srl |
| Product version | 1.1.0.0 |
| File version | 1.1.0.0 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | NoVirusThanks OSArmor Service |
| Company name | NoVirusThanks Company Srl |
| File description | NoVirusThanks OSArmor Service |
| Comments | NoVirusThanks OSArmor Service |
| Legal copyright | NoVirusThanks Company Srl |
| Product version | 1.1.0.0 |
| File version | 1.1.0.0 |
Digital signatures [?]
OSArmorDevSvc.exe has a valid digital signature.
| Property | Value |
|---|---|
| Signer name | NoVirusThanks Company Srl |
| Certificate issuer name | GlobalSign CodeSigning CA - G3 |
| Certificate serial number | 60df26c55d114424b228a918 |
VirusTotal report
1 of the 68 anti-virus programs at VirusTotal detected the OSArmorDevSvc.exe file. That's a 1% detection rate.
| Scanner | Detection Name |
|---|---|
| BitDefenderTheta | Gen:NN.ZexaE.32250.NE2aamaq2OjO |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"dll_loaded": [
"kernel32",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"ntdll",
"WINSTA.dll",
"wintrust.dll",
"kernel32.dll",
"msvcrt.dll",
"oleaut32.dll",
"dwmapi.dll",
"ntdll.dll",
"msimg32.dll",
"ntmarta.dll",
"Crypt32.dll",
"wtsapi32",
"userenv",
"advapi32.dll",
"ole32.dll",
"imm32.dll",
"USER32.dll",
"wtsapi32.dll",
"gdi32.dll",
"winmm.dll",
"version.dll",
"ADVAPI32.dll",
"uxtheme.dll",
"winspool.drv",
"RPCRT4.dll",
"comctl32.dll",
"Imagehlp.dll",
"NTDLL",
"netapi32",
"shell32.dll",
"NTDLL.dll",
"user32.dll",
"Wtsapi32.dll"
],
"file_opened": [
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Hardware\\description\\System",
"HKEY_LOCAL_MACHINE\\Software\\Embarcadero\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Keyboard Layouts\\04090409",
"HKEY_LOCAL_MACHINE\\Software\\CodeGear\\Locales",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_CURRENT_USER\\Software\\Wine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"HKEY_CURRENT_USER\\Software\\CodeGear\\Locales",
"HKEY_CURRENT_USER\\Software\\Embarcadero\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Keyboard Layouts\\041D0409",
"HKEY_CURRENT_USER\\Software\\Borland\\Locales",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
"HKEY_CURRENT_USER\\Software\\Borland\\Delphi\\Locales",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Exclusions.DB",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CustomBlock.DB"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.en-US",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.EN",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.ENU",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.en"
]
}Generic
[
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1573717987.3281,
"ppid": 376
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"process_name": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"pid": 2676,
"summary": {
"dll_loaded": [
"kernel32",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"ntdll",
"WINSTA.dll",
"wintrust.dll",
"kernel32.dll",
"msvcrt.dll",
"oleaut32.dll",
"dwmapi.dll",
"ntdll.dll",
"msimg32.dll",
"ntmarta.dll",
"Crypt32.dll",
"wtsapi32",
"userenv",
"advapi32.dll",
"ole32.dll",
"imm32.dll",
"USER32.dll",
"wtsapi32.dll",
"gdi32.dll",
"winmm.dll",
"version.dll",
"ADVAPI32.dll",
"uxtheme.dll",
"winspool.drv",
"RPCRT4.dll",
"comctl32.dll",
"Imagehlp.dll",
"NTDLL",
"netapi32",
"shell32.dll",
"NTDLL.dll",
"user32.dll",
"Wtsapi32.dll"
],
"file_opened": [
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Hardware\\description\\System",
"HKEY_LOCAL_MACHINE\\Software\\Embarcadero\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Keyboard Layouts\\04090409",
"HKEY_LOCAL_MACHINE\\Software\\CodeGear\\Locales",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000",
"HKEY_CURRENT_USER\\Software\\Wine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"HKEY_CURRENT_USER\\Software\\CodeGear\\Locales",
"HKEY_CURRENT_USER\\Software\\Embarcadero\\Locales",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Keyboard Layouts\\041D0409",
"HKEY_CURRENT_USER\\Software\\Borland\\Locales",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
"HKEY_CURRENT_USER\\Software\\Borland\\Delphi\\Locales",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Exclusions.DB",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CustomBlock.DB"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
"HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\CLASS\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.en-US",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.EN",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.ENU",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.en"
]
},
"first_seen": 1573717987.5938,
"ppid": 2724
}
]Signatures
[
{
"markcount": 6,
"families": [],
"description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
"severity": 1,
"marks": [
{
"category": "section",
"ioc": " \\x00 ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": ".idata ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": " ",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": "lyofklgd",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": "tibxlelf",
"type": "ioc",
"description": null
},
{
"category": "section",
"ioc": ".taggant",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_features"
},
{
"markcount": 113,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "R\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n6\n3\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\na\n1\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\nd\n2\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\nd\n2\n\n\nR\nt\nl\nI\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nx\nc\ne\np\nt\ni\no\nn\nC\nh\na\ni\nn\n+\n0\nx\n3\n6\n \nR\nt\nl\nA\nl\nl\no\nc\na\nt\ne\nA\nc\nt\ni\nv\na\nt\ni\no\nn\nC\no\nn\nt\ne\nx\nt\nS\nt\na\nc\nk\n-\n0\nx\nc\ne\n \nn\nt\nd\nl\nl\n+\n0\nx\n3\n9\ne\na\n5\n \n@\n \n0\nx\n7\n7\nb\nc\n9\ne\na\n5",
"registers": {
"esp": 4324108,
"edi": 0,
"eax": 1,
"ebp": 4324124,
"edx": 24952832,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"exception": {
"instruction_r": "fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x59d0b9",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 5886137,
"address": "0x160d0b9"
}
},
"time": 1573717987.7188,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 0
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324072,
"edi": 1975189736,
"eax": 19561876,
"ebp": 4009582612,
"edx": 17235968,
"ebx": 2067136512,
"esi": 3,
"ecx": 1975386112
},
"exception": {
"instruction_r": "fb 83 ec 04 89 0c 24 89 e1 81 ec 04 00 00 00 89",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x238280",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 2327168,
"address": "0x12a8280"
}
},
"time": 1573717987.7188,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 1
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324076,
"edi": 1975189736,
"eax": 19589853,
"ebp": 4009582612,
"edx": 17235968,
"ebx": 2067136512,
"esi": 3,
"ecx": 1975386112
},
"exception": {
"instruction_r": "fb e9 0d 01 00 00 01 c1 58 33 0c 24 31 0c 24 33",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x238481",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 2327681,
"address": "0x12a8481"
}
},
"time": 1573717987.7188,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 2
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324076,
"edi": 1975189736,
"eax": 19564949,
"ebp": 4009582612,
"edx": 0,
"ebx": 2067136512,
"esi": 242921,
"ecx": 1975386112
},
"exception": {
"instruction_r": "fb 68 1f 33 ba 31 89 34 24 be 60 98 7f 5b 81 f6",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x238723",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 2328355,
"address": "0x12a8723"
}
},
"time": 1573717987.7188,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 3
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324072,
"edi": 19566368,
"eax": 26043,
"ebp": 4009582612,
"edx": 0,
"ebx": 1182531482,
"esi": 242921,
"ecx": 223110711
},
"exception": {
"instruction_r": "fb 51 e9 ed fb ff ff 87 de 81 ce 76 25 7e 52 e9",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x2393cb",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 2331595,
"address": "0x12a93cb"
}
},
"time": 1573717987.7188,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 4
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324076,
"edi": 19592411,
"eax": 26043,
"ebp": 4009582612,
"edx": 1259,
"ebx": 1182531482,
"esi": 242921,
"ecx": 4294944304
},
"exception": {
"instruction_r": "fb 55 bd cd cd f9 7f 68 b7 d5 ef 48 e9 eb fe ff",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x2393b6",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 2331574,
"address": "0x12a93b6"
}
},
"time": 1573717987.7188,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324076,
"edi": 21656887,
"eax": 31992,
"ebp": 4009582612,
"edx": 2130566132,
"ebx": 47055566,
"esi": 21604042,
"ecx": 718
},
"exception": {
"instruction_r": "fb 68 51 df 5e 0e 89 04 24 83 ec 04 89 34 24 be",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x42fd91",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4390289,
"address": "0x149fd91"
}
},
"time": 1573717987.7188,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 11
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324076,
"edi": 21656887,
"eax": 172009,
"ebp": 4009582612,
"edx": 2130566132,
"ebx": 4294938388,
"esi": 21604042,
"ecx": 718
},
"exception": {
"instruction_r": "fb 53 c7 04 24 90 c3 17 60 e9 53 ff ff ff 5a 01",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x42fbe3",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4389859,
"address": "0x149fbe3"
}
},
"time": 1573717987.7348,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 12
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324072,
"edi": 21656887,
"eax": 27951,
"ebp": 4009582612,
"edx": 1932827588,
"ebx": 2111637605,
"esi": 21604042,
"ecx": 21633365
},
"exception": {
"instruction_r": "fb 53 bb 32 e2 9b 6d 56 89 2c 24 bd 4b cf fe 7e",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x431ff3",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4399091,
"address": "0x14a1ff3"
}
},
"time": 1573717987.7348,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 13
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324076,
"edi": 21656887,
"eax": 0,
"ebp": 4009582612,
"edx": 1932827588,
"ebx": 2111637605,
"esi": 202985,
"ecx": 21636280
},
"exception": {
"instruction_r": "fb 57 68 35 ab 22 21 8b 3c 24 53 89 3c 24 54 5f",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x431c8f",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4398223,
"address": "0x14a1c8f"
}
},
"time": 1573717987.7348,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 14
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324076,
"edi": 21669234,
"eax": 30391,
"ebp": 4009582612,
"edx": 395156552,
"ebx": 555920181,
"esi": 202985,
"ecx": 1975439852
},
"exception": {
"instruction_r": "fb 57 54 5f 50 53 68 da ff ef 6b 5b 81 cb 00 f4",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x4335a0",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4404640,
"address": "0x14a35a0"
}
},
"time": 1573717987.7348,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 15
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324076,
"edi": 21641794,
"eax": 30391,
"ebp": 4009582612,
"edx": 395156552,
"ebx": 1259,
"esi": 0,
"ecx": 1975439852
},
"exception": {
"instruction_r": "fb 83 ec 04 89 34 24 e9 a1 fe ff ff 8b 34 24 81",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x433486",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4404358,
"address": "0x14a3486"
}
},
"time": 1573717987.7348,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 16
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324068,
"edi": 21641794,
"eax": 1447909480,
"ebp": 4009582612,
"edx": 22104,
"ebx": 1975324853,
"esi": 21670371,
"ecx": 20
},
"exception": {
"instruction_r": "ed 64 8f 05 00 00 00 00 57 e9 8d 00 00 00 5c 89",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x43f43c",
"instruction": "in eax, dx",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4453436,
"address": "0x14af43c"
}
},
"time": 1573717987.7348,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 21
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324068,
"edi": 21641794,
"eax": 1,
"ebp": 4009582612,
"edx": 22104,
"ebx": 0,
"esi": 21670371,
"ecx": 20
},
"exception": {
"instruction_r": "0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x43f892",
"address": "0x14af892",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc000001d",
"offset": 4454546
}
},
"time": 1573717987.7348,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 22
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324068,
"edi": 21641794,
"eax": 1447909480,
"ebp": 4009582612,
"edx": 22104,
"ebx": 2256917605,
"esi": 21670371,
"ecx": 10
},
"exception": {
"instruction_r": "ed 81 fb 68 58 4d 56 75 0a c7 85 be 2c 2d 12 01",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x44000d",
"instruction": "in eax, dx",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4456461,
"address": "0x14b000d"
}
},
"time": 1573717987.7348,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 23
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324072,
"edi": 21641794,
"eax": 27102,
"ebp": 4009582612,
"edx": 2130566132,
"ebx": 21707068,
"esi": 10,
"ecx": 36
},
"exception": {
"instruction_r": "fb 51 56 68 a9 db f7 52 5e b9 57 d8 e5 22 01 f1",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x443dad",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4472237,
"address": "0x14b3dad"
}
},
"time": 1573717987.8907,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 2713
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324076,
"edi": 2283,
"eax": 27102,
"ebp": 4009582612,
"edx": 4294943132,
"ebx": 21734170,
"esi": 10,
"ecx": 36
},
"exception": {
"instruction_r": "fb 83 ec 04 89 34 24 55 e9 b1 00 00 00 89 14 24",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x443bcb",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4471755,
"address": "0x14b3bcb"
}
},
"time": 1573717987.8907,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 2714
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324072,
"edi": 19559706,
"eax": 21781764,
"ebp": 4009582612,
"edx": 6,
"ebx": 38497378,
"esi": 1975260176,
"ecx": 0
},
"exception": {
"instruction_r": "fb 81 ec 04 00 00 00 e9 71 01 00 00 89 f7 5e 81",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x4560cf",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4546767,
"address": "0x14c60cf"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 4979
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324076,
"edi": 19559706,
"eax": 21809607,
"ebp": 4009582612,
"edx": 6,
"ebx": 38497378,
"esi": 1975260176,
"ecx": 0
},
"exception": {
"instruction_r": "fb 68 93 1b 65 20 89 3c 24 c7 04 24 87 62 45 1c",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x455e9f",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4546207,
"address": "0x14c5e9f"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 4980
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324076,
"edi": 19559706,
"eax": 21784623,
"ebp": 4009582612,
"edx": 6,
"ebx": 38497378,
"esi": 0,
"ecx": 607947093
},
"exception": {
"instruction_r": "fb 83 ec 04 89 1c 24 50 b8 d0 15 41 6d f7 d8 25",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x456224",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4547108,
"address": "0x14c6224"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 4981
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324076,
"edi": 19559706,
"eax": 25530,
"ebp": 4009582612,
"edx": 542964933,
"ebx": 21787940,
"esi": 262633,
"ecx": 0
},
"exception": {
"instruction_r": "fb 55 54 8b 2c 24 83 c4 04 52 68 04 00 00 00 5a",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x456a9a",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4549274,
"address": "0x14c6a9a"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 4982
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324064,
"edi": 21805152,
"eax": 27195,
"ebp": 4009582612,
"edx": 542964933,
"ebx": 21787940,
"esi": 262633,
"ecx": 1273555976
},
"exception": {
"instruction_r": "fb 51 b9 1a 3f 6f 3f 81 c7 85 4a bf 1e 51 b9 00",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x45be9d",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4570781,
"address": "0x14cbe9d"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 4984
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324068,
"edi": 21832347,
"eax": 27195,
"ebp": 4009582612,
"edx": 542964933,
"ebx": 21787940,
"esi": 262633,
"ecx": 1273555976
},
"exception": {
"instruction_r": "fb 68 0b f4 1b 37 89 1c 24 e9 46 00 00 00 5f 58",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x45c049",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4571209,
"address": "0x14cc049"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 4985
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324068,
"edi": 21808299,
"eax": 27195,
"ebp": 4009582612,
"edx": 693225,
"ebx": 21787940,
"esi": 0,
"ecx": 1273555976
},
"exception": {
"instruction_r": "fb 50 89 0c 24 e9 31 fd ff ff 81 f3 84 9c 73 7c",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x45c3aa",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4572074,
"address": "0x14cc3aa"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 4986
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324068,
"edi": 21808299,
"eax": 27837,
"ebp": 4009582612,
"edx": 21841295,
"ebx": 21787940,
"esi": 0,
"ecx": 693225
},
"exception": {
"instruction_r": "fb 51 89 2c 24 68 4f 1d 4f 77 ff 34 24 e9 00 00",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x45e060",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4579424,
"address": "0x14ce060"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 4987
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324068,
"edi": 4294942460,
"eax": 27837,
"ebp": 4009582612,
"edx": 21841295,
"ebx": 21787940,
"esi": 84201,
"ecx": 693225
},
"exception": {
"instruction_r": "fb 68 55 f9 26 77 89 34 24 89 0c 24 89 34 24 be",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x45e1a0",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4579744,
"address": "0x14ce1a0"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 4988
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324068,
"edi": 4358658,
"eax": 25734,
"ebp": 4009582612,
"edx": 21907535,
"ebx": 4358658,
"esi": 65613971,
"ecx": 2152444675
},
"exception": {
"instruction_r": "fb e9 99 fe ff ff c7 04 24 bf 5c 7c 3e 57 e9 00",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x46eeb7",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4648631,
"address": "0x14deeb7"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5003
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324068,
"edi": 1375758944,
"eax": 25734,
"ebp": 4009582612,
"edx": 21884715,
"ebx": 4358658,
"esi": 65613971,
"ecx": 0
},
"exception": {
"instruction_r": "fb e9 6a 06 00 00 b9 39 97 90 05 01 cb 59 89 d8",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x46e568",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4646248,
"address": "0x14de568"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5004
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 311610997,
"eax": 21999602,
"ebp": 4009582612,
"edx": 2130566132,
"ebx": 333434623,
"esi": 355249593,
"ecx": 2152537775
},
"exception": {
"instruction_r": "fb 55 e9 00 00 00 00 bd da 20 e9 76 51 e9 00 00",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x485161",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4739425,
"address": "0x14f5161"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5022
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 311610997,
"eax": 21976114,
"ebp": 4009582612,
"edx": 0,
"ebx": 333434623,
"esi": 355249593,
"ecx": 3039672914
},
"exception": {
"instruction_r": "fb e9 65 f7 ff ff 31 e8 40 c1 e0 01 35 e8 b4 f6",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x48527b",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4739707,
"address": "0x14f527b"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5023
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 22007559,
"eax": 31031,
"ebp": 4009582612,
"edx": 0,
"ebx": 333434623,
"esi": 355249593,
"ecx": 425380985
},
"exception": {
"instruction_r": "fb e9 c8 05 00 00 87 0c 24 5c e9 4f 02 00 00 59",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x4856ca",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4740810,
"address": "0x14f56ca"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5024
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 22007559,
"eax": 4294939612,
"ebp": 4009582612,
"edx": 0,
"ebx": 333434623,
"esi": 6598504,
"ecx": 425380985
},
"exception": {
"instruction_r": "fb e9 0b ff ff ff 81 ee 0d 58 2c 42 01 f3 5e 5a",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x485c77",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4742263,
"address": "0x14f5c77"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5025
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324032,
"edi": 22007559,
"eax": 25775,
"ebp": 4009582612,
"edx": 0,
"ebx": 21980250,
"esi": 6598504,
"ecx": 1913976612
},
"exception": {
"instruction_r": "fb 57 bf 00 89 e3 7e c1 ef 01 c1 e7 08 f7 df c1",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x4867e0",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4745184,
"address": "0x14f67e0"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5026
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 22007559,
"eax": 44777,
"ebp": 4009582612,
"edx": 4294943684,
"ebx": 22006025,
"esi": 6598504,
"ecx": 1913976612
},
"exception": {
"instruction_r": "fb 50 52 57 c7 04 24 d4 44 37 7a 5a 81 ea 00 54",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x48662c",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4744748,
"address": "0x14f662c"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5027
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 4294941416,
"eax": 2877783,
"ebp": 4009582612,
"edx": 825688061,
"ebx": 22018564,
"esi": 6618018,
"ecx": 847676218
},
"exception": {
"instruction_r": "fb e9 1e 04 00 00 f7 14 24 5d 45 81 c5 c6 03 9b",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x488d28",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4754728,
"address": "0x14f8d28"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5028
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 4294941416,
"eax": 0,
"ebp": 4009582612,
"edx": 22002650,
"ebx": 24811,
"esi": 4279578178,
"ecx": 847685701
},
"exception": {
"instruction_r": "fb 55 56 89 3c 24 bf 1a 29 f7 60 81 cf 0d e1 eb",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x48b50c",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4764940,
"address": "0x14fb50c"
}
},
"time": 1573717988.0628,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5029
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 22014395,
"eax": 25895,
"ebp": 4009582612,
"edx": 22002650,
"ebx": 322689,
"esi": 4279578178,
"ecx": 0
},
"exception": {
"instruction_r": "fb ba c9 de fe 7f e9 24 03 00 00 89 c5 58 e9 01",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x48e28a",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4776586,
"address": "0x14fe28a"
}
},
"time": 1573717988.0777,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5030
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 22043664,
"eax": 28890,
"ebp": 4009582612,
"edx": 1527777152,
"ebx": 322689,
"esi": 4279578178,
"ecx": 83564869
},
"exception": {
"instruction_r": "fb 83 ec 04 89 0c 24 68 f1 d9 9e 7e 8b 0c 24 83",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x48f0ec",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4780268,
"address": "0x14ff0ec"
}
},
"time": 1573717988.0777,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5031
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 22017520,
"eax": 28890,
"ebp": 4009582612,
"edx": 0,
"ebx": 157417,
"esi": 4279578178,
"ecx": 83564869
},
"exception": {
"instruction_r": "fb e9 00 00 00 00 53 e9 00 00 00 00 c7 04 24 1b",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x48f32a",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4780842,
"address": "0x14ff32a"
}
},
"time": 1573717988.0777,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5032
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324032,
"edi": 22044424,
"eax": 27843,
"ebp": 4009582612,
"edx": 2130566132,
"ebx": 2147483650,
"esi": 22019869,
"ecx": 3352166400
},
"exception": {
"instruction_r": "fb 56 89 e6 e9 41 00 00 00 5f e9 b1 02 00 00 83",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x4964c6",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4809926,
"address": "0x15064c6"
}
},
"time": 1573717988.0777,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5041
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 22072267,
"eax": 27843,
"ebp": 4009582612,
"edx": 2130566132,
"ebx": 2147483650,
"esi": 22019869,
"ecx": 3352166400
},
"exception": {
"instruction_r": "fb e9 ad f7 ff ff 8b 04 24 81 c4 04 00 00 00 50",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x496926",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4811046,
"address": "0x1506926"
}
},
"time": 1573717988.0777,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5042
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 22047591,
"eax": 82608978,
"ebp": 4009582612,
"edx": 2130566132,
"ebx": 2147483650,
"esi": 0,
"ecx": 3352166400
},
"exception": {
"instruction_r": "fb 83 ec 04 89 3c 24 83 ec 04 89 34 24 68 21 92",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x496584",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4810116,
"address": "0x1506584"
}
},
"time": 1573717988.0777,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5043
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 4021095283,
"eax": 9451,
"ebp": 4009582612,
"edx": 2130566132,
"ebx": 22057317,
"esi": 22047591,
"ecx": 0
},
"exception": {
"instruction_r": "fb 57 e9 b7 f6 ff ff 05 04 00 00 00 87 04 24 5c",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x4990f5",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4821237,
"address": "0x15090f5"
}
},
"time": 1573717988.0777,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5044
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324032,
"edi": 22058021,
"eax": 29282,
"ebp": 4009582612,
"edx": 2130566132,
"ebx": 1117579650,
"esi": 22047591,
"ecx": 538308646
},
"exception": {
"instruction_r": "fb 50 81 ec 04 00 00 00 89 0c 24 50 b8 7c 7f fe",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x499ade",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4823774,
"address": "0x1509ade"
}
},
"time": 1573717988.0777,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5045
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 22087303,
"eax": 29282,
"ebp": 4009582612,
"edx": 2130566132,
"ebx": 1117579650,
"esi": 22047591,
"ecx": 538308646
},
"exception": {
"instruction_r": "fb 56 e9 8c 00 00 00 56 89 14 24 e9 cd 01 00 00",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x499b89",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4823945,
"address": "0x1509b89"
}
},
"time": 1573717988.0777,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5046
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 22060975,
"eax": 29282,
"ebp": 4009582612,
"edx": 2130566132,
"ebx": 0,
"esi": 4158500968,
"ecx": 538308646
},
"exception": {
"instruction_r": "fb 57 89 04 24 89 1c 24 89 14 24 68 18 dd 8e 53",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x499a1d",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4823581,
"address": "0x1509a1d"
}
},
"time": 1573717988.0777,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5047
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 22060975,
"eax": 32510,
"ebp": 4009582612,
"edx": 0,
"ebx": 22064466,
"esi": 4158500968,
"ecx": 604277075
},
"exception": {
"instruction_r": "fb 56 89 04 24 b8 25 cc 8a 2f 53 c7 04 24 08 c5",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x49ac2e",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4828206,
"address": "0x150ac2e"
}
},
"time": 1573717988.0777,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5048
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 0,
"eax": 22068470,
"ebp": 4009582612,
"edx": 797625381,
"ebx": 2298801283,
"esi": 4158500968,
"ecx": 1349825619
},
"exception": {
"instruction_r": "fb 68 60 54 b0 6a e9 b3 05 00 00 c7 04 24 00 c1",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x49af3c",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4828988,
"address": "0x150af3c"
}
},
"time": 1573717988.0777,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5049
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324036,
"edi": 604292949,
"eax": 32607,
"ebp": 4009582612,
"edx": 22101557,
"ebx": 4294937480,
"esi": 4158500968,
"ecx": 1349825619
},
"exception": {
"instruction_r": "fb 56 e9 d1 01 00 00 31 ee ff 34 24 5d 55 89 e5",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x49c57f",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4834687,
"address": "0x150c57f"
}
},
"time": 1573717988.0777,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5050
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324032,
"edi": 21983339,
"eax": 31621,
"ebp": 4009582612,
"edx": 126614527,
"ebx": 1082112,
"esi": 24012657,
"ecx": 22122112
},
"exception": {
"instruction_r": "fb 57 89 34 24 52 ba 4e 4f bc 7b 89 d6 8b 14 24",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x4a95ce",
"instruction": "sti",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4888014,
"address": "0x15195ce"
}
},
"time": 1573717988.1098,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5214
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 108,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 696320,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x01071000"
},
"time": 1573717988.1247,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2676,
"type": "call",
"cid": 5252
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00910000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5280
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00920000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5281
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a70000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5282
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a80000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5283
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a90000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5284
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a90000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5286
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00ae0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5287
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a90000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5289
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a90000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5291
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00af0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5292
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00d60000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5296
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00df0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5298
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00e00000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5300
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00e50000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5304
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01020000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5305
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a90000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5307
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02bd0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5308
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00a90000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5310
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02ce0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5311
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02cf0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5312
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02d00000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5313
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02d50000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5314
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02e60000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5315
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02e70000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5316
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02e80000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5317
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02ed0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5318
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02ee0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5319
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x02ef0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5320
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x03000000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5321
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x03010000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5322
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x03020000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5323
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x03030000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5324
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x03040000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5325
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x03390000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5326
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x033a0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5327
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x033b0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5328
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x034c0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5329
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x034d0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5330
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x034e0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5331
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x034f0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5332
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x03500000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5333
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x03510000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5334
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x03520000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5335
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x03530000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5336
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x03540000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5337
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x03550000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5338
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x035a0000"
},
"time": 1573717988.1558,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5339
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x035b0000"
},
"time": 1573717988.1718,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5340
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x035c0000"
},
"time": 1573717988.1718,
"tid": 1512,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2676,
"type": "call",
"cid": 5341
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "A process attempted to delay the analysis task.",
"severity": 2,
"marks": [
{
"type": "generic",
"description": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin tried to sleep 432 seconds, actually delayed analysis time by 432 seconds"
}
],
"references": [],
"name": "antisandbox_sleep"
},
{
"markcount": 3,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.9864160646117,
"section": {
"size_of_data": "0x000a9400",
"virtual_address": "0x00001000",
"entropy": 7.9864160646117,
"name": " \\x00 ",
"virtual_size": "0x00202000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 7.9556992804682,
"section": {
"size_of_data": "0x001bde00",
"virtual_address": "0x0059d000",
"entropy": 7.9556992804682,
"name": "lyofklgd",
"virtual_size": "0x001be000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.92205358815814,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 2,
"families": [],
"description": "Checks the version of Bios, possibly for anti-virtualization",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_generic_bios"
},
{
"markcount": 1,
"families": [],
"description": "Detects VirtualBox through the presence of a registry key",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antivm_vbox_keys"
},
{
"markcount": 1,
"families": [],
"description": "Detects VMWare through the in instruction feature",
"severity": 3,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "",
"registers": {
"esp": 4324068,
"edi": 21641794,
"eax": 1447909480,
"ebp": 4009582612,
"edx": 22104,
"ebx": 1975324853,
"esi": 21670371,
"ecx": 20
},
"exception": {
"instruction_r": "ed 64 8f 05 00 00 00 00 57 e9 8d 00 00 00 5c 89",
"symbol": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4+0x43f43c",
"instruction": "in eax, dx",
"module": "e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4.bin",
"exception_code": "0xc0000096",
"offset": 4453436,
"address": "0x14af43c"
}
},
"time": 1573717987.7348,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 21
}
],
"references": [],
"name": "antivm_vmware_in_instruction"
},
{
"markcount": 2,
"families": [],
"description": "Detects the presence of Wine emulator",
"severity": 3,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "LdrGetProcedureAddress",
"return_value": 3221225785,
"arguments": {
"ordinal": 0,
"module": "ntdll",
"module_address": "0x77b90000",
"function_address": "0x04bc853c",
"function_name": "wine_get_version"
},
"time": 1573717988.2348,
"tid": 1512,
"flags": {}
},
"pid": 2676,
"type": "call",
"cid": 5999
},
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Wine",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "antiemu_wine"
}
]Yara
[
{
"meta": {
"description": "Possibly employs anti-virtualization techniques",
"author": "nex"
},
"name": "vmdetect",
"offsets": {
"virtualpc": [
[
2033603,
0
]
]
},
"strings": [
"Dz8HCw=="
]
}
]Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.2047681808472,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5226,
"time": 9.249852180481,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7070,
"time": 3.049779176712,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7398,
"time": 1.0105810165405,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7726,
"time": 3.1573910713196,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8054,
"time": 1.6105210781097,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8382,
"time": -0.099944829940796,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8710,
"time": 1.6110320091248,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28120,
"time": 1.0449800491333,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36504,
"time": 3.1596131324768,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "8e3343597fb9e3b308a83c28c96ac696e517fe8e93201b9938e9c93d0011ac02",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "22850169f21f4a34621f353bc04f4a8739e4266327eb188d34be3f88e72e2bad",
"irc": [],
"https_ex": []
}Screenshots
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 4d31c11c987638aaa5004d8445444def |
| SHA256 | e07baed7ff871d415bce0c8097fb7569b1534c0b084f2c9aeb452184a0372ca4 |
Error Messages
These are some of the error messages that can appear related to osarmordevsvc.exe:
osarmordevsvc.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
osarmordevsvc.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
NoVirusThanks OSArmor Service has stopped working.
End Program - osarmordevsvc.exe. This program is not responding.
osarmordevsvc.exe is not a valid Win32 application.
osarmordevsvc.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
Malware or legitimate?
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
And now some shameless self promotion ;)
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.