{ "analysis_details": { "creation_time": "2017-09-20 18:07 (UTC+2)", "execution_successful": true, "number_of_processes": 2, "reputation_enabled": true, "termination_reason": "all_processes_terminated", "type": "analysis_details", "version": 2, "vm_analysis_duration_time": "00:01:10" }, "artifacts": { "files": [ { "filename": "STD_INPUT_HANDLE", "hashes": [], "norm_filename": "std_input_handle", "operations": [ "access" ], "type": "file_artifact", "version": 1 }, { "filename": "STD_OUTPUT_HANDLE", "hashes": [], "norm_filename": "std_output_handle", "operations": [ "access" ], "type": "file_artifact", "version": 1 }, { "filename": "STD_ERROR_HANDLE", "hashes": [], "norm_filename": "std_error_handle", "operations": [ "access" ], "type": "file_artifact", "version": 1 }, { "filename": "\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", "hashes": [], "norm_filename": "c:\\windows\\syswow64\\ntdll.dll", "operations": [ "read", "access" ], "type": "file_artifact", "version": 1 } ], "ips": [], "mutexes": [ { "mutex_name": "Nameless", "operations": [ "access" ], "type": "mutex_artifact", "version": 1 } ], "registry": [ { "operations": [ "access" ], "reg_key_name": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\VBA\\Monitors", "type": "registry_artifact", "version": 1 } ], "type": "artifacts", "urls": [], "version": 1 }, "extracted_files": [], "process_dumps": [ { "archive_path": "process_dumps/process_00000001-region_00000001-addr_0x0000000000010000-size_0x0000000000020000-perm_rw.bin", "filename": "process_00000001-region_00000001-addr_0x0000000000010000-size_0x0000000000020000-perm_rw.bin", "id": "proc_dump_2", "md5_hash": "c22b24534ebd60bf4000f1e276041914", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "11e488122ef3964f4f58b71ed18a6f8e9c786372", "sha256_hash": "c336dc1295de724227271af8f0c427b18a0f26c13e6f313d5a53f997764860ce", "size": 131072, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000002-addr_0x0000000000030000-size_0x0000000000002000-perm_rw.bin", "filename": "process_00000001-region_00000002-addr_0x0000000000030000-size_0x0000000000002000-perm_rw.bin", "id": "proc_dump_3", "md5_hash": "8e96372583152ccacf0df39b5b05979a", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "a0f21c932e4015c8556b27bd9b18d1a46ed3a8dd", "sha256_hash": "273376435fcc981bf2e67d7d4b234631557427931a6ca7ae5ae808c3b02b04fa", "size": 8192, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000004-addr_0x0000000000050000-size_0x0000000000040000-perm_rw.bin", "filename": "process_00000001-region_00000004-addr_0x0000000000050000-size_0x0000000000040000-perm_rw.bin", "id": "proc_dump_4", "md5_hash": "6e038e4fa6ad61c3ca23fdfd47b41149", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "e70a42538b144580d803f20aca841b0fbb43f4e3", "sha256_hash": "1129d9c79393a805c2dfbe8e9ad7e9655a716929c3c7987af4fc5740c0705045", "size": 262144, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000005-addr_0x0000000000090000-size_0x0000000000100000-perm_rw.bin", "filename": "process_00000001-region_00000005-addr_0x0000000000090000-size_0x0000000000100000-perm_rw.bin", "id": "proc_dump_5", "md5_hash": "79bf1a784fa19f415f88984a386da33d", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "2d2af0b8df76d75a7af11954ad0a1ba26630ca45", "sha256_hash": "c82213b63fd8cc56a7463141d6e9b41c50cdd3aa765d09a4e3e5cc97cac70058", "size": 1048576, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000007-addr_0x0000000000400000-size_0x0000000000048000-perm_rwx.bin", "filename": "process_00000001-region_00000007-addr_0x0000000000400000-size_0x0000000000048000-perm_rwx.bin", "id": "proc_dump_6", "md5_hash": "50d4dba0ffba8cf9e5b932107483f93b", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "62c9fee7cc4cc6fbd377ee56c6b21c006efb307f", "sha256_hash": "7535d925b3d5502addca8a1fafb2dbd15d82e0ad96981ff35b3912052c336f0a", "size": 290816, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000011-addr_0x000000007efdb000-size_0x0000000000003000-perm_rw.bin", "filename": "process_00000001-region_00000011-addr_0x000000007efdb000-size_0x0000000000003000-perm_rw.bin", "id": "proc_dump_7", "md5_hash": "364987a549544d225043b8f8410cb2b5", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "685fd1a3a7b5699d56cbefcc52c46e9e98e6cd6b", "sha256_hash": "6e6c2489f959677a0f53a845f2470be2754144755c32e7dac74c9abb8951fb02", "size": 12288, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000012-addr_0x000000007efde000-size_0x0000000000001000-perm_rw.bin", "filename": "process_00000001-region_00000012-addr_0x000000007efde000-size_0x0000000000001000-perm_rw.bin", "id": "proc_dump_8", "md5_hash": "2f8ac185e8c0123a25df6c2f424c45c9", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "4ecbf6bc0ed04e240a1c147a91e6155b9bf3abe8", "sha256_hash": "975ca09e7a7ecb5f5dabafa62b642527aee145d7b4064ef3bc5d236ceaa3da47", "size": 4096, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000013-addr_0x000000007efdf000-size_0x0000000000001000-perm_rw.bin", "filename": "process_00000001-region_00000013-addr_0x000000007efdf000-size_0x0000000000001000-perm_rw.bin", "id": "proc_dump_9", "md5_hash": "6dda99ab923e817887d544edf4d0978c", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "7da53c7d36129da1b076aba12ca82000da33415e", "sha256_hash": "4c1d6e10a206d561f62e5f746b18f637b8f4e253ba0f45df883eabe11301ec1d", "size": 4096, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000015-addr_0x000000007ffe0000-size_0x0000000000010000-perm_r.bin", "filename": "process_00000001-region_00000015-addr_0x000000007ffe0000-size_0x0000000000010000-perm_r.bin", "id": "proc_dump_10", "md5_hash": "adad01d6a2c750000d34735da939e0ff", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "fede4bff1f0a66663c6ce902ce6f8eed350f62b3", "sha256_hash": "f01d5398d1cc44bd722ccef4c984a00ab473ce215572b073f42682cef00fa824", "size": 65536, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000149-addr_0x0000000000290000-size_0x0000000000080000-perm_rw.bin", "filename": "process_00000001-region_00000149-addr_0x0000000000290000-size_0x0000000000080000-perm_rw.bin", "id": "proc_dump_11", "md5_hash": "ebc627078701e9c1afc20aee14dd2c41", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "ca94516fee292c0e691a1942d1448082d9c3cc0c", "sha256_hash": "3d6422e95d3dae10397702e83ebacb09404ed30e5485bf56a77c7764ff9f5a96", "size": 524288, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000153-addr_0x0000000000540000-size_0x0000000000100000-perm_rw.bin", "filename": "process_00000001-region_00000153-addr_0x0000000000540000-size_0x0000000000100000-perm_rw.bin", "id": "proc_dump_12", "md5_hash": "9beae5c7895373fd2a765c9ca3f9e27b", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "a999dcb7f518d64ccf3abcb8f89cf0cfb6fd21b4", "sha256_hash": "fcd930ecb74e40880b4eb74216564d93b2fe2ca4247b9e4b437df668975d4fa5", "size": 1048576, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000156-addr_0x0000000077160000-size_0x00000000000fa000-perm_rwx.bin", "filename": "process_00000001-region_00000156-addr_0x0000000077160000-size_0x00000000000fa000-perm_rwx.bin", "id": "proc_dump_13", "md5_hash": "6eeea0bcbc21bd1c0d7f0d6ae3488f7b", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "fad191d56abe255a03a7b4b3b641fcfa8a4f81fe", "sha256_hash": "938a68694e4495227ebc925be61a20adb5c6c82d7dd57cc67a2717e2f9f2bf70", "size": 1024000, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000157-addr_0x0000000077260000-size_0x000000000011f000-perm_rwx.bin", "filename": "process_00000001-region_00000157-addr_0x0000000077260000-size_0x000000000011f000-perm_rwx.bin", "id": "proc_dump_14", "md5_hash": "caf76e9dd8864dfb7d729847f3595e80", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "71745f0f20bf18b3813fbb1a30eed8d41dc1d51d", "sha256_hash": "f113bc4b90aa0447b7992c2783d7c3b16d63f0e65e2c54c6e93ba833e8e0c667", "size": 1175552, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000176-addr_0x0000000000800000-size_0x0000000000010000-perm_rw.bin", "filename": "process_00000001-region_00000176-addr_0x0000000000800000-size_0x0000000000010000-perm_rw.bin", "id": "proc_dump_15", "md5_hash": "1ba384ad449ca2be477df3b57e869233", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "50eb95fee27d1852fb155f98cd03bdc627e632a8", "sha256_hash": "4a53e00c6a7e379e8942bd2fad3f156ad5e8c0771a8edaa5e6c4fec6331f017c", "size": 65536, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000179-addr_0x0000000000020000-size_0x0000000000001000-perm_rw.bin", "filename": "process_00000001-region_00000179-addr_0x0000000000020000-size_0x0000000000001000-perm_rw.bin", "id": "proc_dump_16", "md5_hash": "1c16e7f8c9fb073221cdbd45be0cec77", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "bda7955ac7a7e7503db3e4a25cd74ffe8d2459f0", "sha256_hash": "caedbaec9171ce5e0b6b45db275dddfe931fb271c7fa586cf46f9dd84966abd9", "size": 4096, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000180-addr_0x0000000000030000-size_0x0000000000001000-perm_rw.bin", "filename": "process_00000001-region_00000180-addr_0x0000000000030000-size_0x0000000000001000-perm_rw.bin", "id": "proc_dump_17", "md5_hash": "02fd8b8b71958a39bff3b18861e2cb0c", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "71c99b4560cea0e996341ad91518079c726fdd86", "sha256_hash": "e0af6c0d2e58f882e658d9e1e0d008fb8bff717b24ff5f04468f22777f3b17f1", "size": 4096, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000183-addr_0x0000000001f60000-size_0x0000000000010000-perm_rw.bin", "filename": "process_00000001-region_00000183-addr_0x0000000001f60000-size_0x0000000000010000-perm_rw.bin", "id": "proc_dump_18", "md5_hash": "2fb6bde305ae83d51d25a49c45d980b8", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "8bb4aea1768715a465331472301eca6503cf376e", "sha256_hash": "8efd133e78191449f8d0588072611eea4f8828195d67752f10dd81e2078fde3e", "size": 65536, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000184-addr_0x0000000001f70000-size_0x0000000000400000-perm_rw.bin", "filename": "process_00000001-region_00000184-addr_0x0000000001f70000-size_0x0000000000400000-perm_rw.bin", "id": "proc_dump_19", "md5_hash": "bd73217b4100a2eb20a727b7c5af228a", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "047fd2813d4ab79a0b05eb825394523ac88ef005", "sha256_hash": "ab71a54736177a7a197a4014ee052abb0b2dbee75af9a953da069592e958bb40", "size": 4194304, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000186-addr_0x0000000001da0000-size_0x00000000001a0000-perm_rw.bin", "filename": "process_00000001-region_00000186-addr_0x0000000001da0000-size_0x00000000001a0000-perm_rw.bin", "id": "proc_dump_20", "md5_hash": "7ccbdadf63fa64766a526553dfc8d3db", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "0294f150f91be1b3fed9ef8a7cd104f1794b3c72", "sha256_hash": "e75dd2f88d5501fc20270fd734fe2b4ed7b97245cc8fb5725a40f6aa816aa771", "size": 1703936, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000187-addr_0x0000000000360000-size_0x0000000000040000-perm_rw.bin", "filename": "process_00000001-region_00000187-addr_0x0000000000360000-size_0x0000000000040000-perm_rw.bin", "id": "proc_dump_21", "md5_hash": "fe1fe3448e65b95058861f089d02210a", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "9ac8bbda91064c0ccf7142e8c957c8ab8c55aedc", "sha256_hash": "55446396588e8d35974ad032d4571e9335609702c5c2b706eff07ca6234392f5", "size": 262144, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000189-addr_0x0000000000210000-size_0x0000000000040000-perm_rw.bin", "filename": "process_00000001-region_00000189-addr_0x0000000000210000-size_0x0000000000040000-perm_rw.bin", "id": "proc_dump_22", "md5_hash": "649472d1ad8b386bd6e5892f468b6bbd", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "356638c500536f37b0c6c8c23b916fa132901e16", "sha256_hash": "d7cf2ec29a9cb4a3a99c5731b9ae720ed30b03d2d847d3a4f7a27892a40a7e64", "size": 262144, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000191-addr_0x0000000000250000-size_0x0000000000010000-perm_rw.bin", "filename": "process_00000001-region_00000191-addr_0x0000000000250000-size_0x0000000000010000-perm_rw.bin", "id": "proc_dump_23", "md5_hash": "9bb8d9d9e29bbba10e997a6e9c053512", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "3daf3f911d73792f731578a17a6fba33a02aa063", "sha256_hash": "9c028d6b5fef6c616953ed403a989de45657ca627f6cb52359773898cd46ebc7", "size": 65536, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000192-addr_0x0000000000350000-size_0x0000000000010000-perm_rw.bin", "filename": "process_00000001-region_00000192-addr_0x0000000000350000-size_0x0000000000010000-perm_rw.bin", "id": "proc_dump_24", "md5_hash": "840c9a4fe01f03842c79639c156e3759", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "fc54734ec0ae39850d5615a4f76dd78b013228da", "sha256_hash": "bcd3fb3f377364aecfea73437211386eb24fb203d5ba0f2d9e824cce6a7091be", "size": 65536, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000200-addr_0x0000000001da0000-size_0x0000000000090000-perm_rw.bin", "filename": "process_00000001-region_00000200-addr_0x0000000001da0000-size_0x0000000000090000-perm_rw.bin", "id": "proc_dump_25", "md5_hash": "d240ffa8b16ce427984221b2b8564f5d", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "3d3fff0f83abcb164365a2d59b17af094cc69c0c", "sha256_hash": "4ecd0ed85ddd80e46b12f34c96258c40e5d297b3678c6627b8afb1671e1ca267", "size": 589824, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000201-addr_0x0000000001f00000-size_0x0000000000040000-perm_rw.bin", "filename": "process_00000001-region_00000201-addr_0x0000000001f00000-size_0x0000000000040000-perm_rw.bin", "id": "proc_dump_26", "md5_hash": "f16b55a3cf3f88053a895284bae31387", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "bdb432ef8e5784f4d6ed01df7dc4443f6465b082", "sha256_hash": "2ba1c6aee4a5085681a87eef0303334abeace9818d67961ad32f1f86de19730c", "size": 262144, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000202-addr_0x0000000000310000-size_0x0000000000040000-perm_rw.bin", "filename": "process_00000001-region_00000202-addr_0x0000000000310000-size_0x0000000000040000-perm_rw.bin", "id": "proc_dump_27", "md5_hash": "a11b0c6d6300d8082a0400281a5f3124", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "ed1114c81d80e9ce327f8229888a5d74a497fc94", "sha256_hash": "585e1a1b856eecb391a45d4524dcb09baaaf6d6fb3f9625af021e882f08143ea", "size": 262144, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000203-addr_0x0000000003370000-size_0x0000000000100000-perm_rw.bin", "filename": "process_00000001-region_00000203-addr_0x0000000003370000-size_0x0000000000100000-perm_rw.bin", "id": "proc_dump_28", "md5_hash": "5ce95f2015301a8aef0fcd562b5d511d", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "ed5781d19a95b7c6d0ff7514df353a1feff71ece", "sha256_hash": "e0df02246330188d37b89d4644d5866f3fe2ef2c146dab632b4dc2cda5c52efe", "size": 1048576, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000204-addr_0x000000007efd8000-size_0x0000000000003000-perm_rw.bin", "filename": "process_00000001-region_00000204-addr_0x000000007efd8000-size_0x0000000000003000-perm_rw.bin", "id": "proc_dump_29", "md5_hash": "98157ad795b53f14dc6eb68a4fb38d1c", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "699b34a4098b1ad923120f4285bac8f4545ba727", "sha256_hash": "44c748ec129da23d5977ab853542fb4969256a31ce4b6acd9bd4230ddb00fcb6", "size": 12288, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000208-addr_0x0000000001da0000-size_0x0000000000080000-perm_rw.bin", "filename": "process_00000001-region_00000208-addr_0x0000000001da0000-size_0x0000000000080000-perm_rw.bin", "id": "proc_dump_30", "md5_hash": "800dd56eacfb169e07dbc650d7b9b9af", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "4e766d88ee2c164f0eb09e425d61871a1add2ebd", "sha256_hash": "6e4cd939105a26d6aa62b20f94168142226b8ecda6943b8106e24d84243cd3e5", "size": 524288, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000209-addr_0x0000000001e20000-size_0x0000000000010000-perm_rw.bin", "filename": "process_00000001-region_00000209-addr_0x0000000001e20000-size_0x0000000000010000-perm_rw.bin", "id": "proc_dump_31", "md5_hash": "de10997e6f9e9735d6ce9c12287bd693", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "0393129524b2cb6fd5c14aa04f44e6d7d9fe2fd1", "sha256_hash": "e545dbe494fa539f9b7c26fd326ba1fe7540f503ed10a36cda2b8ee130fceebb", "size": 65536, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000210-addr_0x00000000003a0000-size_0x0000000000009000-perm_rwx.bin", "filename": "process_00000001-region_00000210-addr_0x00000000003a0000-size_0x0000000000009000-perm_rwx.bin", "id": "proc_dump_32", "md5_hash": "001ea373b8046c2a383752140d6a6005", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "15b794d1afdeadadbf5d793a086aedb270e8cd5f", "sha256_hash": "2c89eb88cc4b4d0288decfcab45d78908df9338f27841c57780b04cab5637692", "size": 36864, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000001-region_00000214-addr_0x00000000003b0000-size_0x0000000000001000-perm_rw.bin", "filename": "process_00000001-region_00000214-addr_0x00000000003b0000-size_0x0000000000001000-perm_rw.bin", "id": "proc_dump_33", "md5_hash": "9b5cd9ddbc26e337557956d76605a1f5", "ref_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "287c54255061d8cd861dfe248c54f48b26dd5abb", "sha256_hash": "17ac1710dfea0b68c085c5971b6d19d44e47e294d715c8a6524e637ab193d956", "size": 4096, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000215-addr_0x0000000000010000-size_0x0000000000020000-perm_rw.bin", "filename": "process_00000002-region_00000215-addr_0x0000000000010000-size_0x0000000000020000-perm_rw.bin", "id": "proc_dump_34", "md5_hash": "87942cb3c7a1db0aeaf3dbef360f4d47", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "8c52538df4f93600a335aba028bcd91a61211514", "sha256_hash": "3d775cc1219d1efb9194304f810c5935537fc82934e0e50a4ae42288805a5c5a", "size": 131072, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000216-addr_0x0000000000030000-size_0x0000000000002000-perm_rw.bin", "filename": "process_00000002-region_00000216-addr_0x0000000000030000-size_0x0000000000002000-perm_rw.bin", "id": "proc_dump_35", "md5_hash": "4fb627a1abd7c9dd5edb42f16bbd7353", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "1e41bc5be4a046e6af81275ec6804e9531f48fcc", "sha256_hash": "2ddd71f3959936844dc69dbb9e53172914b68ff99eccb5757904c4e6039a38ab", "size": 8192, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000218-addr_0x0000000000050000-size_0x0000000000040000-perm_rw.bin", "filename": "process_00000002-region_00000218-addr_0x0000000000050000-size_0x0000000000040000-perm_rw.bin", "id": "proc_dump_36", "md5_hash": "1392ee18241050c90b451169b6cdede6", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "16d62031c044c75bca53789ea71e655fb6e76986", "sha256_hash": "48bfc373aae756f3f0744cfdba7987e012398a8089dcff7d035006089dffcb47", "size": 262144, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000219-addr_0x0000000000090000-size_0x0000000000100000-perm_rw.bin", "filename": "process_00000002-region_00000219-addr_0x0000000000090000-size_0x0000000000100000-perm_rw.bin", "id": "proc_dump_37", "md5_hash": "7d61ce2a58f3cf4411dc4224ee5d466a", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "8d9a73d163ba861e27edaf079016fee804c02e66", "sha256_hash": "a2c41c0b5a295fc3328f87076df2657882bf1ceb57ccca113cdd272664141e44", "size": 1048576, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000221-addr_0x0000000000400000-size_0x0000000000024000-perm_rwx.bin", "filename": "process_00000002-region_00000221-addr_0x0000000000400000-size_0x0000000000024000-perm_rwx.bin", "id": "proc_dump_38", "md5_hash": "6fef4c5bbe9ba3d32fce1073c496f5a9", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "92eef1129ebf33d4dbaf32d8842e23071b8c1046", "sha256_hash": "8339c148d5252874d44c39234c51a499a51534ce5018df8a4e2e8ead0973fc2e", "size": 147456, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000225-addr_0x000000007efdb000-size_0x0000000000003000-perm_rw.bin", "filename": "process_00000002-region_00000225-addr_0x000000007efdb000-size_0x0000000000003000-perm_rw.bin", "id": "proc_dump_39", "md5_hash": "0f7dbf6c0eda41638fca9f1174dad930", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "da9229e79242355738d3ca4364540a653df3160e", "sha256_hash": "a0060a6c630339bf4429fe9dbf5f6c4c23fb9852bf610152712f83b8e087424c", "size": 12288, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000226-addr_0x000000007efde000-size_0x0000000000001000-perm_rw.bin", "filename": "process_00000002-region_00000226-addr_0x000000007efde000-size_0x0000000000001000-perm_rw.bin", "id": "proc_dump_40", "md5_hash": "06df9279cbb6417b30b871eeb8e63a24", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "49afad51bbb4b04bd6dc194077ff219ec3885776", "sha256_hash": "f6ac947e409130c5f70f4f4e81a05e55ae5346775548daf3cbfb0c6f6c5536c1", "size": 4096, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000227-addr_0x000000007efdf000-size_0x0000000000001000-perm_rw.bin", "filename": "process_00000002-region_00000227-addr_0x000000007efdf000-size_0x0000000000001000-perm_rw.bin", "id": "proc_dump_41", "md5_hash": "f263ae106c6e1426148399a0694e98c4", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "d86cb9b97b7b47b725abdb93e02c766c2ecf7903", "sha256_hash": "ad9d893274dee02d480ead0511ad4fdc073169b62f8158523e9c0b579e6f54fb", "size": 4096, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000229-addr_0x000000007ffe0000-size_0x0000000000010000-perm_r.bin", "filename": "process_00000002-region_00000229-addr_0x000000007ffe0000-size_0x0000000000010000-perm_r.bin", "id": "proc_dump_42", "md5_hash": "e9d21c27792770d85b91891874f65afd", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "cec41674f41c7a72ee5b0eebeda5ed0d8d3f6417", "sha256_hash": "0a1495b1f4ee52f9bd2e252a4174e435d9f0350beeb2618dc8c6d28854edbbb4", "size": 65536, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000231-addr_0x00000000002b0000-size_0x0000000000080000-perm_rw.bin", "filename": "process_00000002-region_00000231-addr_0x00000000002b0000-size_0x0000000000080000-perm_rw.bin", "id": "proc_dump_43", "md5_hash": "fe1c3ced9f357e3f2b7675a0b4e2cf2b", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "19a63b6f17bf3014cf77c6e7889677b8baba063b", "sha256_hash": "4cd2f59ba0000af616887baf41375ede69b0422736b7b92e04accdbd4bc248cd", "size": 524288, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000237-addr_0x0000000000540000-size_0x0000000000100000-perm_rw.bin", "filename": "process_00000002-region_00000237-addr_0x0000000000540000-size_0x0000000000100000-perm_rw.bin", "id": "proc_dump_44", "md5_hash": "404e28e4e4ac15bdff349650f756efe8", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "c96065cb21b97c5a3177c009a44cf972e36c0e4c", "sha256_hash": "613388cdb016c8d2ad7e511da48eaf3cb74d4ec5320a3d9f2c0c48efde1a47df", "size": 1048576, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000240-addr_0x0000000077160000-size_0x00000000000fa000-perm_rwx.bin", "filename": "process_00000002-region_00000240-addr_0x0000000077160000-size_0x00000000000fa000-perm_rwx.bin", "id": "proc_dump_45", "md5_hash": "6eeea0bcbc21bd1c0d7f0d6ae3488f7b", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "fad191d56abe255a03a7b4b3b641fcfa8a4f81fe", "sha256_hash": "938a68694e4495227ebc925be61a20adb5c6c82d7dd57cc67a2717e2f9f2bf70", "size": 1024000, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000241-addr_0x0000000077260000-size_0x000000000011f000-perm_rwx.bin", "filename": "process_00000002-region_00000241-addr_0x0000000077260000-size_0x000000000011f000-perm_rwx.bin", "id": "proc_dump_46", "md5_hash": "caf76e9dd8864dfb7d729847f3595e80", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "71745f0f20bf18b3813fbb1a30eed8d41dc1d51d", "sha256_hash": "f113bc4b90aa0447b7992c2783d7c3b16d63f0e65e2c54c6e93ba833e8e0c667", "size": 1175552, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000244-addr_0x0000000000780000-size_0x0000000000181000-perm_rw.bin", "filename": "process_00000002-region_00000244-addr_0x0000000000780000-size_0x0000000000181000-perm_rw.bin", "id": "proc_dump_47", "md5_hash": "b2c1f02aad3ea4e3004db4bbddc63c97", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "81472e3f6bd07f92f653f528876dfce67a55878e", "sha256_hash": "d55b91ddeef0d4bb212c6574b747a0a9ce743672df8777d41fb58148883df2de", "size": 1576960, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000245-addr_0x0000000000910000-size_0x0000000000303000-perm_rwx.bin", "filename": "process_00000002-region_00000245-addr_0x0000000000910000-size_0x0000000000303000-perm_rwx.bin", "id": "proc_dump_48", "md5_hash": "1913ae63545bf32a7b6161cb102026d2", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "7f0e95c2bf4c6eece3a3c926c5c7d6dfb970cc99", "sha256_hash": "b8cac5e414d61ad40d5656547283a4d4796c68fa663d4c361cc6672d2f0906cf", "size": 3158016, "type": "process_dump", "version": 1 }, { "archive_path": "process_dumps/process_00000002-region_00000246-addr_0x0000000000020000-size_0x0000000000010000-perm_rw.bin", "filename": "process_00000002-region_00000246-addr_0x0000000000020000-size_0x0000000000010000-perm_rw.bin", "id": "proc_dump_49", "md5_hash": "140904b0c3ff73a2a4f17baff1018f09", "ref_process": { "ref_id": "proc_2", "ref_source": "summary", "ref_type": "process", "type": "reference", "version": 1 }, "sha1_hash": "329f80b76104a688c1cbfc1cd3e36f9de6c2e319", "sha256_hash": "b08c2535b59fdee9e44558eaedffbf30d82bf9b41b77f38214fd2c2b073d9823", "size": 65536, "type": "process_dump", "version": 1 } ], "processes": [ { "cmd_line": "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe\" ", "filename": "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe", "id": "proc_1", "image_name": "ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe", "monitor_reason": "analysis_target", "monitored_id": 1, "origin_monitor_id": 0, "ref_parent_process": null, "regions": [ { "dump": { "filename": "process_00000001-region_00000001-addr_0x0000000000010000-size_0x0000000000020000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_2", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 131072, "start_va": 65536, "type": "region", "version": 1 }, "end_va": 196607, "entry_point": 0, "filename": null, "id": "region_1", "name": "private_0x0000000000010000", "norm_filename": null, "region_type": "private_memory", "start_va": 65536, "timestamp": "00:00:19.949", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000002-addr_0x0000000000030000-size_0x0000000000002000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_3", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 8192, "start_va": 196608, "type": "region", "version": 1 }, "end_va": 204799, "entry_point": 0, "filename": null, "id": "region_2", "name": "private_0x0000000000030000", "norm_filename": null, "region_type": "private_memory", "start_va": 196608, "timestamp": "00:00:19.949", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 4096, "start_va": 262144, "type": "region", "version": 1 }, "end_va": 266239, "entry_point": 262144, "filename": "\\Windows\\System32\\apisetschema.dll", "id": "region_3", "name": "apisetschema.dll", "norm_filename": "c:\\windows\\system32\\apisetschema.dll", "region_type": "memory_mapped_file", "start_va": 262144, "timestamp": "00:00:19.949", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000004-addr_0x0000000000050000-size_0x0000000000040000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_4", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 262144, "start_va": 327680, "type": "region", "version": 1 }, "end_va": 589823, "entry_point": 0, "filename": null, "id": "region_4", "name": "private_0x0000000000050000", "norm_filename": null, "region_type": "private_memory", "start_va": 327680, "timestamp": "00:00:19.953", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000005-addr_0x0000000000090000-size_0x0000000000100000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_5", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 1048576, "start_va": 589824, "type": "region", "version": 1 }, "end_va": 1638399, "entry_point": 0, "filename": null, "id": "region_5", "name": "private_0x0000000000090000", "norm_filename": null, "region_type": "private_memory", "start_va": 589824, "timestamp": "00:00:19.953", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 16384, "start_va": 1638400, "type": "region", "version": 1 }, "end_va": 1654783, "entry_point": 0, "filename": null, "id": "region_6", "name": "pagefile_0x0000000000190000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 1638400, "timestamp": "00:00:19.953", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000007-addr_0x0000000000400000-size_0x0000000000048000-perm_rwx.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": { "ref_id": "proc_dump_6", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 294912, "start_va": 4194304, "type": "region", "version": 1 }, "end_va": 4489215, "entry_point": 4194304, "filename": "\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe", "id": "region_7", "name": "ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe", "norm_filename": "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe", "region_type": "memory_mapped_file", "start_va": 4194304, "timestamp": "00:00:19.954", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 1740800, "start_va": 2000158720, "type": "region", "version": 1 }, "end_va": 2001899519, "entry_point": 2000158720, "filename": "\\Windows\\System32\\ntdll.dll", "id": "region_8", "name": "ntdll.dll", "norm_filename": "c:\\windows\\system32\\ntdll.dll", "region_type": "memory_mapped_file", "start_va": 2000158720, "timestamp": "00:00:19.954", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 1572864, "start_va": 2002124800, "type": "region", "version": 1 }, "end_va": 2003697663, "entry_point": 2002124800, "filename": "\\Windows\\SysWOW64\\ntdll.dll", "id": "region_9", "name": "ntdll.dll", "norm_filename": "c:\\windows\\syswow64\\ntdll.dll", "region_type": "memory_mapped_file", "start_va": 2002124800, "timestamp": "00:00:20.050", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 143360, "start_va": 2130378752, "type": "region", "version": 1 }, "end_va": 2130522111, "entry_point": 0, "filename": null, "id": "region_10", "name": "pagefile_0x000000007efb0000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 2130378752, "timestamp": "00:00:20.149", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000011-addr_0x000000007efdb000-size_0x0000000000003000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_7", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 12288, "start_va": 2130554880, "type": "region", "version": 1 }, "end_va": 2130567167, "entry_point": 0, "filename": null, "id": "region_11", "name": "private_0x000000007efdb000", "norm_filename": null, "region_type": "private_memory", "start_va": 2130554880, "timestamp": "00:00:20.149", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000012-addr_0x000000007efde000-size_0x0000000000001000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_8", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 4096, "start_va": 2130567168, "type": "region", "version": 1 }, "end_va": 2130571263, "entry_point": 0, "filename": null, "id": "region_12", "name": "private_0x000000007efde000", "norm_filename": null, "region_type": "private_memory", "start_va": 2130567168, "timestamp": "00:00:20.150", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000013-addr_0x000000007efdf000-size_0x0000000000001000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_9", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 4096, "start_va": 2130571264, "type": "region", "version": 1 }, "end_va": 2130575359, "entry_point": 0, "filename": null, "id": "region_13", "name": "private_0x000000007efdf000", "norm_filename": null, "region_type": "private_memory", "start_va": 2130571264, "timestamp": "00:00:20.150", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "region_too_big" ], "info": "No dump was created because region size surpasses maximum region dump size of the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 16777216, "start_va": 2130575360, "type": "region", "version": 1 }, "end_va": 2147352575, "entry_point": 0, "filename": null, "id": "region_14", "name": "private_0x000000007efe0000", "norm_filename": null, "region_type": "private_memory", "start_va": 2130575360, "timestamp": "00:00:20.150", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000015-addr_0x000000007ffe0000-size_0x0000000000010000-perm_r.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable" ], "ref_process_dump": { "ref_id": "proc_dump_10", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 65536, "start_va": 2147352576, "type": "region", "version": 1 }, "end_va": 2147418111, "entry_point": 0, "filename": null, "id": "region_15", "name": "private_0x000000007ffe0000", "norm_filename": null, "region_type": "private_memory", "start_va": 2147352576, "timestamp": "00:00:20.150", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "ignored_region" ], "info": "No dump was created because this is an ignored region", "permissions": [ "readable" ], "ref_process_dump": null, "size": 8793945538560, "start_va": 2147418112, "type": "region", "version": 1 }, "end_va": 8796092956671, "entry_point": 0, "filename": null, "id": "region_16", "name": "private_0x000000007fff0000", "norm_filename": null, "region_type": "private_memory", "start_va": 2147418112, "timestamp": "00:00:20.150", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000149-addr_0x0000000000290000-size_0x0000000000080000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_11", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 524288, "start_va": 2686976, "type": "region", "version": 1 }, "end_va": 3211263, "entry_point": 0, "filename": null, "id": "region_149", "name": "private_0x0000000000290000", "norm_filename": null, "region_type": "private_memory", "start_va": 2686976, "timestamp": "00:00:22.120", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 376832, "start_va": 1940324352, "type": "region", "version": 1 }, "end_va": 1940701183, "entry_point": 1940324352, "filename": "\\Windows\\System32\\wow64win.dll", "id": "region_150", "name": "wow64win.dll", "norm_filename": "c:\\windows\\system32\\wow64win.dll", "region_type": "memory_mapped_file", "start_va": 1940324352, "timestamp": "00:00:22.120", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 258048, "start_va": 1940717568, "type": "region", "version": 1 }, "end_va": 1940975615, "entry_point": 1940717568, "filename": "\\Windows\\System32\\wow64.dll", "id": "region_151", "name": "wow64.dll", "norm_filename": "c:\\windows\\system32\\wow64.dll", "region_type": "memory_mapped_file", "start_va": 1940717568, "timestamp": "00:00:22.128", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 32768, "start_va": 1941176320, "type": "region", "version": 1 }, "end_va": 1941209087, "entry_point": 1941176320, "filename": "\\Windows\\System32\\wow64cpu.dll", "id": "region_152", "name": "wow64cpu.dll", "norm_filename": "c:\\windows\\system32\\wow64cpu.dll", "region_type": "memory_mapped_file", "start_va": 1941176320, "timestamp": "00:00:22.136", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000153-addr_0x0000000000540000-size_0x0000000000100000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_12", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 1048576, "start_va": 5505024, "type": "region", "version": 1 }, "end_va": 6553599, "entry_point": 0, "filename": null, "id": "region_153", "name": "private_0x0000000000540000", "norm_filename": null, "region_type": "private_memory", "start_va": 5505024, "timestamp": "00:00:22.193", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 286720, "start_va": 1966211072, "type": "region", "version": 1 }, "end_va": 1966497791, "entry_point": 1966211072, "filename": "\\Windows\\SysWOW64\\KernelBase.dll", "id": "region_154", "name": "kernelbase.dll", "norm_filename": "c:\\windows\\syswow64\\kernelbase.dll", "region_type": "memory_mapped_file", "start_va": 1966211072, "timestamp": "00:00:22.193", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 1114112, "start_va": 1985675264, "type": "region", "version": 1 }, "end_va": 1986789375, "entry_point": 1985675264, "filename": "\\Windows\\SysWOW64\\kernel32.dll", "id": "region_155", "name": "kernel32.dll", "norm_filename": "c:\\windows\\syswow64\\kernel32.dll", "region_type": "memory_mapped_file", "start_va": 1985675264, "timestamp": "00:00:22.265", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000156-addr_0x0000000077160000-size_0x00000000000fa000-perm_rwx.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": { "ref_id": "proc_dump_13", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 1024000, "start_va": 1997930496, "type": "region", "version": 1 }, "end_va": 1998954495, "entry_point": 0, "filename": null, "id": "region_156", "name": "private_0x0000000077160000", "norm_filename": null, "region_type": "private_memory", "start_va": 1997930496, "timestamp": "00:00:22.544", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000157-addr_0x0000000077260000-size_0x000000000011f000-perm_rwx.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": { "ref_id": "proc_dump_14", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 1175552, "start_va": 1998979072, "type": "region", "version": 1 }, "end_va": 2000154623, "entry_point": 0, "filename": null, "id": "region_157", "name": "private_0x0000000077260000", "norm_filename": null, "region_type": "private_memory", "start_va": 1998979072, "timestamp": "00:00:22.544", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable", "writable" ], "ref_process_dump": null, "size": 65536, "start_va": 65536, "type": "region", "version": 1 }, "end_va": 131071, "entry_point": 0, "filename": null, "id": "region_158", "name": "pagefile_0x0000000000010000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 65536, "timestamp": "00:00:22.604", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable" ], "ref_process_dump": null, "size": 421888, "start_va": 1703936, "type": "region", "version": 1 }, "end_va": 2125823, "entry_point": 1703936, "filename": "\\Windows\\System32\\locale.nls", "id": "region_159", "name": "locale.nls", "norm_filename": "c:\\windows\\system32\\locale.nls", "region_type": "memory_mapped_file", "start_va": 1703936, "timestamp": "00:00:22.604", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "untracked_file_region" ], "info": "No dump was created because mapped file is not tracked", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 1388544, "start_va": 1922301952, "type": "region", "version": 1 }, "end_va": 1923690495, "entry_point": 1922301952, "filename": "\\Windows\\SysWOW64\\msvbvm60.dll", "id": "region_160", "name": "msvbvm60.dll", "norm_filename": "c:\\windows\\syswow64\\msvbvm60.dll", "region_type": "memory_mapped_file", "start_va": 1922301952, "timestamp": "00:00:22.604", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 49152, "start_va": 1963655168, "type": "region", "version": 1 }, "end_va": 1963704319, "entry_point": 1963655168, "filename": "\\Windows\\SysWOW64\\cryptbase.dll", "id": "region_161", "name": "cryptbase.dll", "norm_filename": "c:\\windows\\syswow64\\cryptbase.dll", "region_type": "memory_mapped_file", "start_va": 1963655168, "timestamp": "00:00:22.626", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 393216, "start_va": 1963720704, "type": "region", "version": 1 }, "end_va": 1964113919, "entry_point": 1963720704, "filename": "\\Windows\\SysWOW64\\sspicli.dll", "id": "region_162", "name": "sspicli.dll", "norm_filename": "c:\\windows\\syswow64\\sspicli.dll", "region_type": "memory_mapped_file", "start_va": 1963720704, "timestamp": "00:00:22.633", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 1048576, "start_va": 1964113920, "type": "region", "version": 1 }, "end_va": 1965162495, "entry_point": 1964113920, "filename": "\\Windows\\SysWOW64\\user32.dll", "id": "region_163", "name": "user32.dll", "norm_filename": "c:\\windows\\syswow64\\user32.dll", "region_type": "memory_mapped_file", "start_va": 1964113920, "timestamp": "00:00:22.643", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 102400, "start_va": 1965293568, "type": "region", "version": 1 }, "end_va": 1965395967, "entry_point": 1965293568, "filename": "\\Windows\\SysWOW64\\sechost.dll", "id": "region_164", "name": "sechost.dll", "norm_filename": "c:\\windows\\syswow64\\sechost.dll", "region_type": "memory_mapped_file", "start_va": 1965293568, "timestamp": "00:00:22.710", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 704512, "start_va": 1965424640, "type": "region", "version": 1 }, "end_va": 1966129151, "entry_point": 1965424640, "filename": "\\Windows\\SysWOW64\\msvcrt.dll", "id": "region_165", "name": "msvcrt.dll", "norm_filename": "c:\\windows\\syswow64\\msvcrt.dll", "region_type": "memory_mapped_file", "start_va": 1965424640, "timestamp": "00:00:22.723", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 983040, "start_va": 1966866432, "type": "region", "version": 1 }, "end_va": 1967849471, "entry_point": 1966866432, "filename": "\\Windows\\SysWOW64\\rpcrt4.dll", "id": "region_166", "name": "rpcrt4.dll", "norm_filename": "c:\\windows\\syswow64\\rpcrt4.dll", "region_type": "memory_mapped_file", "start_va": 1966866432, "timestamp": "00:00:22.744", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 589824, "start_va": 1968046080, "type": "region", "version": 1 }, "end_va": 1968635903, "entry_point": 1968046080, "filename": "\\Windows\\SysWOW64\\gdi32.dll", "id": "region_167", "name": "gdi32.dll", "norm_filename": "c:\\windows\\syswow64\\gdi32.dll", "region_type": "memory_mapped_file", "start_va": 1968046080, "timestamp": "00:00:23.066", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 1425408, "start_va": 1968635904, "type": "region", "version": 1 }, "end_va": 1970061311, "entry_point": 1968635904, "filename": "\\Windows\\SysWOW64\\ole32.dll", "id": "region_168", "name": "ole32.dll", "norm_filename": "c:\\windows\\syswow64\\ole32.dll", "region_type": "memory_mapped_file", "start_va": 1968635904, "timestamp": "00:00:23.127", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 585728, "start_va": 1983774720, "type": "region", "version": 1 }, "end_va": 1984360447, "entry_point": 1983774720, "filename": "\\Windows\\SysWOW64\\oleaut32.dll", "id": "region_169", "name": "oleaut32.dll", "norm_filename": "c:\\windows\\syswow64\\oleaut32.dll", "region_type": "memory_mapped_file", "start_va": 1983774720, "timestamp": "00:00:23.353", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 40960, "start_va": 1987379200, "type": "region", "version": 1 }, "end_va": 1987420159, "entry_point": 1987379200, "filename": "\\Windows\\SysWOW64\\lpk.dll", "id": "region_170", "name": "lpk.dll", "norm_filename": "c:\\windows\\syswow64\\lpk.dll", "region_type": "memory_mapped_file", "start_va": 1987379200, "timestamp": "00:00:23.363", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 655360, "start_va": 1987444736, "type": "region", "version": 1 }, "end_va": 1988100095, "entry_point": 1987444736, "filename": "\\Windows\\SysWOW64\\advapi32.dll", "id": "region_171", "name": "advapi32.dll", "norm_filename": "c:\\windows\\syswow64\\advapi32.dll", "region_type": "memory_mapped_file", "start_va": 1987444736, "timestamp": "00:00:23.371", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 643072, "start_va": 1991442432, "type": "region", "version": 1 }, "end_va": 1992085503, "entry_point": 1991442432, "filename": "\\Windows\\SysWOW64\\usp10.dll", "id": "region_172", "name": "usp10.dll", "norm_filename": "c:\\windows\\syswow64\\usp10.dll", "region_type": "memory_mapped_file", "start_va": 1991442432, "timestamp": "00:00:23.447", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 1048576, "start_va": 2130575360, "type": "region", "version": 1 }, "end_va": 2131623935, "entry_point": 0, "filename": null, "id": "region_173", "name": "pagefile_0x000000007efe0000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 2130575360, "timestamp": "00:00:23.455", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "region_too_big" ], "info": "No dump was created because region size surpasses maximum region dump size of the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 15728640, "start_va": 2131623936, "type": "region", "version": 1 }, "end_va": 2147352575, "entry_point": 0, "filename": null, "id": "region_174", "name": "private_0x000000007f0e0000", "norm_filename": null, "region_type": "private_memory", "start_va": 2131623936, "timestamp": "00:00:23.455", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 1605632, "start_va": 6553600, "type": "region", "version": 1 }, "end_va": 8159231, "entry_point": 0, "filename": null, "id": "region_175", "name": "pagefile_0x0000000000640000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 6553600, "timestamp": "00:00:23.471", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000176-addr_0x0000000000800000-size_0x0000000000010000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_15", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 65536, "start_va": 8388608, "type": "region", "version": 1 }, "end_va": 8454143, "entry_point": 0, "filename": null, "id": "region_176", "name": "private_0x0000000000800000", "norm_filename": null, "region_type": "private_memory", "start_va": 8388608, "timestamp": "00:00:23.471", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 835584, "start_va": 1990197248, "type": "region", "version": 1 }, "end_va": 1991032831, "entry_point": 1990197248, "filename": "\\Windows\\SysWOW64\\msctf.dll", "id": "region_177", "name": "msctf.dll", "norm_filename": "c:\\windows\\syswow64\\msctf.dll", "region_type": "memory_mapped_file", "start_va": 1990197248, "timestamp": "00:00:23.471", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 393216, "start_va": 1991049216, "type": "region", "version": 1 }, "end_va": 1991442431, "entry_point": 1991049216, "filename": "\\Windows\\SysWOW64\\imm32.dll", "id": "region_178", "name": "imm32.dll", "norm_filename": "c:\\windows\\syswow64\\imm32.dll", "region_type": "memory_mapped_file", "start_va": 1991049216, "timestamp": "00:00:23.484", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000179-addr_0x0000000000020000-size_0x0000000000001000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_16", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 4096, "start_va": 131072, "type": "region", "version": 1 }, "end_va": 135167, "entry_point": 0, "filename": null, "id": "region_179", "name": "private_0x0000000000020000", "norm_filename": null, "region_type": "private_memory", "start_va": 131072, "timestamp": "00:00:23.553", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000180-addr_0x0000000000030000-size_0x0000000000001000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_17", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 4096, "start_va": 196608, "type": "region", "version": 1 }, "end_va": 200703, "entry_point": 0, "filename": null, "id": "region_180", "name": "private_0x0000000000030000", "norm_filename": null, "region_type": "private_memory", "start_va": 196608, "timestamp": "00:00:23.553", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 1576960, "start_va": 8454144, "type": "region", "version": 1 }, "end_va": 10031103, "entry_point": 0, "filename": null, "id": "region_181", "name": "pagefile_0x0000000000810000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 8454144, "timestamp": "00:00:23.553", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "region_too_big" ], "info": "No dump was created because region size surpasses maximum region dump size of the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 20971520, "start_va": 10092544, "type": "region", "version": 1 }, "end_va": 31064063, "entry_point": 0, "filename": null, "id": "region_182", "name": "pagefile_0x00000000009a0000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 10092544, "timestamp": "00:00:23.553", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000183-addr_0x0000000001f60000-size_0x0000000000010000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_18", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 65536, "start_va": 32899072, "type": "region", "version": 1 }, "end_va": 32964607, "entry_point": 0, "filename": null, "id": "region_183", "name": "private_0x0000000001f60000", "norm_filename": null, "region_type": "private_memory", "start_va": 32899072, "timestamp": "00:00:23.588", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000184-addr_0x0000000001f70000-size_0x0000000000400000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_19", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 4194304, "start_va": 32964608, "type": "region", "version": 1 }, "end_va": 37158911, "entry_point": 0, "filename": null, "id": "region_184", "name": "private_0x0000000001f70000", "norm_filename": null, "region_type": "private_memory", "start_va": 32964608, "timestamp": "00:00:23.588", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable" ], "ref_process_dump": null, "size": 2945024, "start_va": 37158912, "type": "region", "version": 1 }, "end_va": 40103935, "entry_point": 37158912, "filename": "\\Windows\\Globalization\\Sorting\\SortDefault.nls", "id": "region_185", "name": "sortdefault.nls", "norm_filename": "c:\\windows\\globalization\\sorting\\sortdefault.nls", "region_type": "memory_mapped_file", "start_va": 37158912, "timestamp": "00:00:23.593", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000186-addr_0x0000000001da0000-size_0x00000000001a0000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_20", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 1703936, "start_va": 31064064, "type": "region", "version": 1 }, "end_va": 32767999, "entry_point": 0, "filename": null, "id": "region_186", "name": "private_0x0000000001da0000", "norm_filename": null, "region_type": "private_memory", "start_va": 31064064, "timestamp": "00:00:23.596", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000187-addr_0x0000000000360000-size_0x0000000000040000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_21", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 262144, "start_va": 3538944, "type": "region", "version": 1 }, "end_va": 3801087, "entry_point": 0, "filename": null, "id": "region_187", "name": "private_0x0000000000360000", "norm_filename": null, "region_type": "private_memory", "start_va": 3538944, "timestamp": "00:00:23.604", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 524288, "start_va": 1938489344, "type": "region", "version": 1 }, "end_va": 1939013631, "entry_point": 1938489344, "filename": "\\Windows\\SysWOW64\\uxtheme.dll", "id": "region_188", "name": "uxtheme.dll", "norm_filename": "c:\\windows\\syswow64\\uxtheme.dll", "region_type": "memory_mapped_file", "start_va": 1938489344, "timestamp": "00:00:23.605", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000189-addr_0x0000000000210000-size_0x0000000000040000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_22", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 262144, "start_va": 2162688, "type": "region", "version": 1 }, "end_va": 2424831, "entry_point": 0, "filename": null, "id": "region_189", "name": "private_0x0000000000210000", "norm_filename": null, "region_type": "private_memory", "start_va": 2162688, "timestamp": "00:00:23.619", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 913408, "start_va": 4521984, "type": "region", "version": 1 }, "end_va": 5435391, "entry_point": 0, "filename": null, "id": "region_190", "name": "pagefile_0x0000000000450000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 4521984, "timestamp": "00:00:23.621", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000191-addr_0x0000000000250000-size_0x0000000000010000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_23", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 65536, "start_va": 2424832, "type": "region", "version": 1 }, "end_va": 2490367, "entry_point": 0, "filename": null, "id": "region_191", "name": "private_0x0000000000250000", "norm_filename": null, "region_type": "private_memory", "start_va": 2424832, "timestamp": "00:00:23.640", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000192-addr_0x0000000000350000-size_0x0000000000010000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_24", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 65536, "start_va": 3473408, "type": "region", "version": 1 }, "end_va": 3538943, "entry_point": 0, "filename": null, "id": "region_192", "name": "private_0x0000000000350000", "norm_filename": null, "region_type": "private_memory", "start_va": 3473408, "timestamp": "00:00:23.640", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 389120, "start_va": 1961623552, "type": "region", "version": 1 }, "end_va": 1962012671, "entry_point": 1961623552, "filename": "\\Windows\\SysWOW64\\sxs.dll", "id": "region_193", "name": "sxs.dll", "norm_filename": "c:\\windows\\syswow64\\sxs.dll", "region_type": "memory_mapped_file", "start_va": 1961623552, "timestamp": "00:00:23.685", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 77824, "start_va": 1933770752, "type": "region", "version": 1 }, "end_va": 1933848575, "entry_point": 1933770752, "filename": "\\Windows\\SysWOW64\\dwmapi.dll", "id": "region_194", "name": "dwmapi.dll", "norm_filename": "c:\\windows\\syswow64\\dwmapi.dll", "region_type": "memory_mapped_file", "start_va": 1933770752, "timestamp": "00:00:24.090", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 28672, "start_va": 2490368, "type": "region", "version": 1 }, "end_va": 2519039, "entry_point": 0, "filename": null, "id": "region_195", "name": "pagefile_0x0000000000260000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 2490368, "timestamp": "00:00:24.107", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable", "writable" ], "ref_process_dump": null, "size": 8192, "start_va": 2555904, "type": "region", "version": 1 }, "end_va": 2564095, "entry_point": 0, "filename": null, "id": "region_196", "name": "pagefile_0x0000000000270000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 2555904, "timestamp": "00:00:24.107", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 4141056, "start_va": 40108032, "type": "region", "version": 1 }, "end_va": 44249087, "entry_point": 0, "filename": null, "id": "region_197", "name": "pagefile_0x0000000002640000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 40108032, "timestamp": "00:00:24.107", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable" ], "ref_process_dump": null, "size": 9633792, "start_va": 44302336, "type": "region", "version": 1 }, "end_va": 53936127, "entry_point": 44302336, "filename": "\\Windows\\Fonts\\StaticCache.dat", "id": "region_198", "name": "staticcache.dat", "norm_filename": "c:\\windows\\fonts\\staticcache.dat", "region_type": "memory_mapped_file", "start_va": 44302336, "timestamp": "00:00:24.113", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 331776, "start_va": 1961230336, "type": "region", "version": 1 }, "end_va": 1961562111, "entry_point": 1961230336, "filename": "\\Windows\\SysWOW64\\winspool.drv", "id": "region_199", "name": "winspool.drv", "norm_filename": "c:\\windows\\syswow64\\winspool.drv", "region_type": "memory_mapped_file", "start_va": 1961230336, "timestamp": "00:00:24.329", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000200-addr_0x0000000001da0000-size_0x0000000000090000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_25", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 589824, "start_va": 31064064, "type": "region", "version": 1 }, "end_va": 31653887, "entry_point": 0, "filename": null, "id": "region_200", "name": "private_0x0000000001da0000", "norm_filename": null, "region_type": "private_memory", "start_va": 31064064, "timestamp": "00:00:24.353", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000201-addr_0x0000000001f00000-size_0x0000000000040000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_26", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 262144, "start_va": 32505856, "type": "region", "version": 1 }, "end_va": 32767999, "entry_point": 0, "filename": null, "id": "region_201", "name": "private_0x0000000001f00000", "norm_filename": null, "region_type": "private_memory", "start_va": 32505856, "timestamp": "00:00:24.354", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000202-addr_0x0000000000310000-size_0x0000000000040000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_27", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 262144, "start_va": 3211264, "type": "region", "version": 1 }, "end_va": 3473407, "entry_point": 0, "filename": null, "id": "region_202", "name": "private_0x0000000000310000", "norm_filename": null, "region_type": "private_memory", "start_va": 3211264, "timestamp": "00:00:30.924", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000203-addr_0x0000000003370000-size_0x0000000000100000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_28", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 1048576, "start_va": 53936128, "type": "region", "version": 1 }, "end_va": 54984703, "entry_point": 0, "filename": null, "id": "region_203", "name": "private_0x0000000003370000", "norm_filename": null, "region_type": "private_memory", "start_va": 53936128, "timestamp": "00:00:30.925", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000204-addr_0x000000007efd8000-size_0x0000000000003000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_29", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 12288, "start_va": 2130542592, "type": "region", "version": 1 }, "end_va": 2130554879, "entry_point": 0, "filename": null, "id": "region_204", "name": "private_0x000000007efd8000", "norm_filename": null, "region_type": "private_memory", "start_va": 2130542592, "timestamp": "00:00:30.925", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 8192, "start_va": 2621440, "type": "region", "version": 1 }, "end_va": 2629631, "entry_point": 0, "filename": null, "id": "region_205", "name": "pagefile_0x0000000000280000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 2621440, "timestamp": "00:00:30.951", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable" ], "ref_process_dump": null, "size": 4096, "start_va": 2621440, "type": "region", "version": 1 }, "end_va": 2625535, "entry_point": 2621440, "filename": "\\Windows\\SysWOW64\\en-US\\msctf.dll.mui", "id": "region_206", "name": "msctf.dll.mui", "norm_filename": "c:\\windows\\syswow64\\en-us\\msctf.dll.mui", "region_type": "memory_mapped_file", "start_va": 2621440, "timestamp": "00:00:30.954", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 8192, "start_va": 3801088, "type": "region", "version": 1 }, "end_va": 3809279, "entry_point": 0, "filename": null, "id": "region_207", "name": "pagefile_0x00000000003a0000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 3801088, "timestamp": "00:00:30.967", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000208-addr_0x0000000001da0000-size_0x0000000000080000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_30", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 524288, "start_va": 31064064, "type": "region", "version": 1 }, "end_va": 31588351, "entry_point": 0, "filename": null, "id": "region_208", "name": "private_0x0000000001da0000", "norm_filename": null, "region_type": "private_memory", "start_va": 31064064, "timestamp": "00:00:30.970", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000209-addr_0x0000000001e20000-size_0x0000000000010000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_31", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 65536, "start_va": 31588352, "type": "region", "version": 1 }, "end_va": 31653887, "entry_point": 0, "filename": null, "id": "region_209", "name": "private_0x0000000001e20000", "norm_filename": null, "region_type": "private_memory", "start_va": 31588352, "timestamp": "00:00:30.972", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000210-addr_0x00000000003a0000-size_0x0000000000009000-perm_rwx.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": { "ref_id": "proc_dump_32", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 36864, "start_va": 3801088, "type": "region", "version": 1 }, "end_va": 3837951, "entry_point": 0, "filename": null, "id": "region_210", "name": "private_0x00000000003a0000", "norm_filename": null, "region_type": "private_memory", "start_va": 3801088, "timestamp": "00:00:30.980", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "region_too_big" ], "info": "No dump was created because region size surpasses maximum region dump size of the configuration", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 67108864, "start_va": 54984704, "type": "region", "version": 1 }, "end_va": 122093567, "entry_point": 0, "filename": null, "id": "region_211", "name": "private_0x0000000003470000", "norm_filename": null, "region_type": "private_memory", "start_va": 54984704, "timestamp": "00:00:42.271", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 12886016, "start_va": 1970864128, "type": "region", "version": 1 }, "end_va": 1983750143, "entry_point": 1970864128, "filename": "\\Windows\\SysWOW64\\shell32.dll", "id": "region_212", "name": "shell32.dll", "norm_filename": "c:\\windows\\syswow64\\shell32.dll", "region_type": "memory_mapped_file", "start_va": 1970864128, "timestamp": "00:00:49.934", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 356352, "start_va": 1997537280, "type": "region", "version": 1 }, "end_va": 1997893631, "entry_point": 1997537280, "filename": "\\Windows\\SysWOW64\\shlwapi.dll", "id": "region_213", "name": "shlwapi.dll", "norm_filename": "c:\\windows\\syswow64\\shlwapi.dll", "region_type": "memory_mapped_file", "start_va": 1997537280, "timestamp": "00:00:50.872", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000001-region_00000214-addr_0x00000000003b0000-size_0x0000000000001000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_33", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 4096, "start_va": 3866624, "type": "region", "version": 1 }, "end_va": 3870719, "entry_point": 0, "filename": null, "id": "region_214", "name": "private_0x00000000003b0000", "norm_filename": null, "region_type": "private_memory", "start_va": 3866624, "timestamp": "00:00:50.949", "type": "region", "version": 1 } ], "terminate_reason": "terminated", "type": "monitored_process", "unmonitor_reason": "terminated_by_timeout", "version": 1 }, { "cmd_line": "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe\" ", "filename": "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe", "id": "proc_2", "image_name": "ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe", "monitor_reason": "child_process", "monitored_id": 2, "origin_monitor_id": 1, "ref_parent_process": { "ref_id": "proc_1", "ref_source": "summary", "ref_type": "monitored_process", "type": "reference", "version": 1 }, "regions": [ { "dump": { "filename": "process_00000002-region_00000215-addr_0x0000000000010000-size_0x0000000000020000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_34", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 131072, "start_va": 65536, "type": "region", "version": 1 }, "end_va": 196607, "entry_point": 0, "filename": null, "id": "region_215", "name": "private_0x0000000000010000", "norm_filename": null, "region_type": "private_memory", "start_va": 65536, "timestamp": "00:00:50.958", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000216-addr_0x0000000000030000-size_0x0000000000002000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_35", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 8192, "start_va": 196608, "type": "region", "version": 1 }, "end_va": 204799, "entry_point": 0, "filename": null, "id": "region_216", "name": "private_0x0000000000030000", "norm_filename": null, "region_type": "private_memory", "start_va": 196608, "timestamp": "00:00:50.959", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 4096, "start_va": 262144, "type": "region", "version": 1 }, "end_va": 266239, "entry_point": 262144, "filename": "\\Windows\\System32\\apisetschema.dll", "id": "region_217", "name": "apisetschema.dll", "norm_filename": "c:\\windows\\system32\\apisetschema.dll", "region_type": "memory_mapped_file", "start_va": 262144, "timestamp": "00:00:50.959", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000218-addr_0x0000000000050000-size_0x0000000000040000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_36", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 262144, "start_va": 327680, "type": "region", "version": 1 }, "end_va": 589823, "entry_point": 0, "filename": null, "id": "region_218", "name": "private_0x0000000000050000", "norm_filename": null, "region_type": "private_memory", "start_va": 327680, "timestamp": "00:00:50.962", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000219-addr_0x0000000000090000-size_0x0000000000100000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_37", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 1048576, "start_va": 589824, "type": "region", "version": 1 }, "end_va": 1638399, "entry_point": 0, "filename": null, "id": "region_219", "name": "private_0x0000000000090000", "norm_filename": null, "region_type": "private_memory", "start_va": 589824, "timestamp": "00:00:50.962", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 16384, "start_va": 1638400, "type": "region", "version": 1 }, "end_va": 1654783, "entry_point": 0, "filename": null, "id": "region_220", "name": "pagefile_0x0000000000190000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 1638400, "timestamp": "00:00:50.962", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000221-addr_0x0000000000400000-size_0x0000000000024000-perm_rwx.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": { "ref_id": "proc_dump_38", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 147456, "start_va": 4194304, "type": "region", "version": 1 }, "end_va": 4341759, "entry_point": 0, "filename": null, "id": "region_221", "name": "private_0x0000000000400000", "norm_filename": null, "region_type": "private_memory", "start_va": 4194304, "timestamp": "00:00:50.962", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 1740800, "start_va": 2000158720, "type": "region", "version": 1 }, "end_va": 2001899519, "entry_point": 2000158720, "filename": "\\Windows\\System32\\ntdll.dll", "id": "region_222", "name": "ntdll.dll", "norm_filename": "c:\\windows\\system32\\ntdll.dll", "region_type": "memory_mapped_file", "start_va": 2000158720, "timestamp": "00:00:50.962", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 1572864, "start_va": 2002124800, "type": "region", "version": 1 }, "end_va": 2003697663, "entry_point": 2002124800, "filename": "\\Windows\\SysWOW64\\ntdll.dll", "id": "region_223", "name": "ntdll.dll", "norm_filename": "c:\\windows\\syswow64\\ntdll.dll", "region_type": "memory_mapped_file", "start_va": 2002124800, "timestamp": "00:00:50.963", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 143360, "start_va": 2130378752, "type": "region", "version": 1 }, "end_va": 2130522111, "entry_point": 0, "filename": null, "id": "region_224", "name": "pagefile_0x000000007efb0000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 2130378752, "timestamp": "00:00:50.963", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000225-addr_0x000000007efdb000-size_0x0000000000003000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_39", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 12288, "start_va": 2130554880, "type": "region", "version": 1 }, "end_va": 2130567167, "entry_point": 0, "filename": null, "id": "region_225", "name": "private_0x000000007efdb000", "norm_filename": null, "region_type": "private_memory", "start_va": 2130554880, "timestamp": "00:00:50.964", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000226-addr_0x000000007efde000-size_0x0000000000001000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_40", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 4096, "start_va": 2130567168, "type": "region", "version": 1 }, "end_va": 2130571263, "entry_point": 0, "filename": null, "id": "region_226", "name": "private_0x000000007efde000", "norm_filename": null, "region_type": "private_memory", "start_va": 2130567168, "timestamp": "00:00:50.964", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000227-addr_0x000000007efdf000-size_0x0000000000001000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_41", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 4096, "start_va": 2130571264, "type": "region", "version": 1 }, "end_va": 2130575359, "entry_point": 0, "filename": null, "id": "region_227", "name": "private_0x000000007efdf000", "norm_filename": null, "region_type": "private_memory", "start_va": 2130571264, "timestamp": "00:00:50.964", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "region_too_big" ], "info": "No dump was created because region size surpasses maximum region dump size of the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 16777216, "start_va": 2130575360, "type": "region", "version": 1 }, "end_va": 2147352575, "entry_point": 0, "filename": null, "id": "region_228", "name": "private_0x000000007efe0000", "norm_filename": null, "region_type": "private_memory", "start_va": 2130575360, "timestamp": "00:00:50.964", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000229-addr_0x000000007ffe0000-size_0x0000000000010000-perm_r.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable" ], "ref_process_dump": { "ref_id": "proc_dump_42", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 65536, "start_va": 2147352576, "type": "region", "version": 1 }, "end_va": 2147418111, "entry_point": 0, "filename": null, "id": "region_229", "name": "private_0x000000007ffe0000", "norm_filename": null, "region_type": "private_memory", "start_va": 2147352576, "timestamp": "00:00:50.965", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "ignored_region" ], "info": "No dump was created because this is an ignored region", "permissions": [ "readable" ], "ref_process_dump": null, "size": 8793945538560, "start_va": 2147418112, "type": "region", "version": 1 }, "end_va": 8796092956671, "entry_point": 0, "filename": null, "id": "region_230", "name": "private_0x000000007fff0000", "norm_filename": null, "region_type": "private_memory", "start_va": 2147418112, "timestamp": "00:00:50.965", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000231-addr_0x00000000002b0000-size_0x0000000000080000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_43", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 524288, "start_va": 2818048, "type": "region", "version": 1 }, "end_va": 3342335, "entry_point": 0, "filename": null, "id": "region_231", "name": "private_0x00000000002b0000", "norm_filename": null, "region_type": "private_memory", "start_va": 2818048, "timestamp": "00:00:50.978", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 376832, "start_va": 1940324352, "type": "region", "version": 1 }, "end_va": 1940701183, "entry_point": 1940584344, "filename": "\\Windows\\System32\\wow64win.dll", "id": "region_232", "name": "wow64win.dll", "norm_filename": "c:\\windows\\system32\\wow64win.dll", "region_type": "memory_mapped_file", "start_va": 1940324352, "timestamp": "00:00:50.978", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 258048, "start_va": 1940717568, "type": "region", "version": 1 }, "end_va": 1940975615, "entry_point": 1940905592, "filename": "\\Windows\\System32\\wow64.dll", "id": "region_233", "name": "wow64.dll", "norm_filename": "c:\\windows\\system32\\wow64.dll", "region_type": "memory_mapped_file", "start_va": 1940717568, "timestamp": "00:00:50.979", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 32768, "start_va": 1941176320, "type": "region", "version": 1 }, "end_va": 1941209087, "entry_point": 1941184760, "filename": "\\Windows\\System32\\wow64cpu.dll", "id": "region_234", "name": "wow64cpu.dll", "norm_filename": "c:\\windows\\system32\\wow64cpu.dll", "region_type": "memory_mapped_file", "start_va": 1941176320, "timestamp": "00:00:50.979", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable", "writable" ], "ref_process_dump": null, "size": 65536, "start_va": 65536, "type": "region", "version": 1 }, "end_va": 131071, "entry_point": 0, "filename": null, "id": "region_235", "name": "pagefile_0x0000000000010000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 65536, "timestamp": "00:00:50.989", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable" ], "ref_process_dump": null, "size": 421888, "start_va": 1703936, "type": "region", "version": 1 }, "end_va": 2125823, "entry_point": 1703936, "filename": "\\Windows\\System32\\locale.nls", "id": "region_236", "name": "locale.nls", "norm_filename": "c:\\windows\\system32\\locale.nls", "region_type": "memory_mapped_file", "start_va": 1703936, "timestamp": "00:00:50.989", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000237-addr_0x0000000000540000-size_0x0000000000100000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_44", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 1048576, "start_va": 5505024, "type": "region", "version": 1 }, "end_va": 6553599, "entry_point": 0, "filename": null, "id": "region_237", "name": "private_0x0000000000540000", "norm_filename": null, "region_type": "private_memory", "start_va": 5505024, "timestamp": "00:00:50.992", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 286720, "start_va": 1966211072, "type": "region", "version": 1 }, "end_va": 1966497791, "entry_point": 1966240888, "filename": "\\Windows\\SysWOW64\\KernelBase.dll", "id": "region_238", "name": "kernelbase.dll", "norm_filename": "c:\\windows\\syswow64\\kernelbase.dll", "region_type": "memory_mapped_file", "start_va": 1966211072, "timestamp": "00:00:50.992", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "unmonitored" ], "info": "No dump was created because region is not monitored", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": null, "size": 1114112, "start_va": 1985675264, "type": "region", "version": 1 }, "end_va": 1986789375, "entry_point": 1985753811, "filename": "\\Windows\\SysWOW64\\kernel32.dll", "id": "region_239", "name": "kernel32.dll", "norm_filename": "c:\\windows\\syswow64\\kernel32.dll", "region_type": "memory_mapped_file", "start_va": 1985675264, "timestamp": "00:00:50.993", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000240-addr_0x0000000077160000-size_0x00000000000fa000-perm_rwx.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": { "ref_id": "proc_dump_45", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 1024000, "start_va": 1997930496, "type": "region", "version": 1 }, "end_va": 1998954495, "entry_point": 0, "filename": null, "id": "region_240", "name": "private_0x0000000077160000", "norm_filename": null, "region_type": "private_memory", "start_va": 1997930496, "timestamp": "00:00:50.994", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000241-addr_0x0000000077260000-size_0x000000000011f000-perm_rwx.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": { "ref_id": "proc_dump_46", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 1175552, "start_va": 1998979072, "type": "region", "version": 1 }, "end_va": 2000154623, "entry_point": 0, "filename": null, "id": "region_241", "name": "private_0x0000000077260000", "norm_filename": null, "region_type": "private_memory", "start_va": 1998979072, "timestamp": "00:00:50.994", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "pagefile_backed_regions_ignored" ], "info": "No dump created because pagefile backed regions are disabled in the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 1048576, "start_va": 2130575360, "type": "region", "version": 1 }, "end_va": 2131623935, "entry_point": 0, "filename": null, "id": "region_242", "name": "pagefile_0x000000007efe0000", "norm_filename": null, "region_type": "pagefile_backed_memory", "start_va": 2130575360, "timestamp": "00:00:50.994", "type": "region", "version": 1 }, { "dump": { "filename": "", "flags": [ "region_too_big" ], "info": "No dump was created because region size surpasses maximum region dump size of the configuration", "permissions": [ "readable" ], "ref_process_dump": null, "size": 15728640, "start_va": 2131623936, "type": "region", "version": 1 }, "end_va": 2147352575, "entry_point": 0, "filename": null, "id": "region_243", "name": "private_0x000000007f0e0000", "norm_filename": null, "region_type": "private_memory", "start_va": 2131623936, "timestamp": "00:00:50.995", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000244-addr_0x0000000000780000-size_0x0000000000181000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_47", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 1576960, "start_va": 7864320, "type": "region", "version": 1 }, "end_va": 9441279, "entry_point": 0, "filename": null, "id": "region_244", "name": "private_0x0000000000780000", "norm_filename": null, "region_type": "private_memory", "start_va": 7864320, "timestamp": "00:00:51.463", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000245-addr_0x0000000000910000-size_0x0000000000303000-perm_rwx.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable", "executable" ], "ref_process_dump": { "ref_id": "proc_dump_48", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 3158016, "start_va": 9502720, "type": "region", "version": 1 }, "end_va": 12660735, "entry_point": 0, "filename": null, "id": "region_245", "name": "private_0x0000000000910000", "norm_filename": null, "region_type": "private_memory", "start_va": 9502720, "timestamp": "00:00:51.463", "type": "region", "version": 1 }, { "dump": { "filename": "process_00000002-region_00000246-addr_0x0000000000020000-size_0x0000000000010000-perm_rw.bin", "flags": [ "dumped" ], "info": "Region dumped", "permissions": [ "readable", "writable" ], "ref_process_dump": { "ref_id": "proc_dump_49", "ref_source": "summary", "ref_type": "process_dump", "type": "reference", "version": 1 }, "size": 65536, "start_va": 131072, "type": "region", "version": 1 }, "end_va": 196607, "entry_point": 0, "filename": null, "id": "region_246", "name": "private_0x0000000000020000", "norm_filename": null, "region_type": "private_memory", "start_va": 131072, "timestamp": "00:00:51.478", "type": "region", "version": 1 } ], "terminate_reason": "terminated", "type": "monitored_process", "unmonitor_reason": "terminated_by_timeout", "version": 1 } ], "remarks": { "critical": [], "non_critical": [], "type": "remarks", "version": 1 }, "sample_details": { "filename": "ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe", "id": 18795, "md5_hash": "f5aceff295707412e7679e7c0f3a797e", "sample_type": "windows_exe_(x86-32)", "sha1_hash": "89c58b4bc7130630ff093afe1c57614a4b85ddc7", "sha256_hash": "ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d", "size": 290816, "type": "sample_details", "version": 1 }, "screenshots": [ { "screenshot_archive_path": "screenshots/screenshot_0.png", "size": 114350, "thumbnail_archive_path": "screenshots/thumbnail_0.png", "timestamp": "00:00:00.000", "type": "screenshot", "version": 1 }, { "screenshot_archive_path": "screenshots/screenshot_19280.png", "size": 117773, "thumbnail_archive_path": "screenshots/thumbnail_19280.png", "timestamp": "00:00:19.280", "type": "screenshot", "version": 1 }, { "screenshot_archive_path": "screenshots/screenshot_22065.png", "size": 114312, "thumbnail_archive_path": "screenshots/thumbnail_22065.png", "timestamp": "00:00:22.065", "type": "screenshot", "version": 1 }, { "screenshot_archive_path": "screenshots/screenshot_28750.png", "size": 111851, "thumbnail_archive_path": "screenshots/thumbnail_28750.png", "timestamp": "00:00:28.750", "type": "screenshot", "version": 1 } ], "type": "summary", "version": 1, "vm_and_analyzer_details": { "adobe_acrobat_reader_version": "not_installed", "analyzer_build_date": "2017-09-12 16:39", "analyzer_version": "2.2.0", "chrome_version": "58.0.3029.110", "firefox_version": "25.0", "flash_version": "10.3.183.75", "internet_explorer_version": "8.0.7601.17514", "java_version": "7.0.450", "microsoft_excel_version": "not_installed", "microsoft_office_version": "not_installed", "microsoft_power_point_version": "not_installed", "microsoft_project_version": "not_installed", "microsoft_publisher_version": "not_installed", "microsoft_visio_version": "not_installed", "microsoft_word_version": "not_installed", "silverlight_version": "not_installed", "type": "vm_and_analyzer_details", "version": 1, "vm_architecture": "x86_64-bit", "vm_kernel_version": "6.1.7601.17514_(3844dbb9-2017-4967-be7a-a4a2c20430fa)", "vm_name": null, "vm_os": "windows_7" }, "vti": { "type": "vti", "version": 1, "vti_built_in_rules_version": "2.6", "vti_rule_matches": [ { "artifacts": { "files": [], "ips": [], "mutexes": [ { "mutex_name": "Nameless", "operations": [ "access" ], "type": "mutex_artifact", "version": 1 } ], "registry": [], "type": "artifacts", "urls": [], "version": 1 }, "category": "_process", "category_desc": "Process", "operation": "_install_ipc_endpoint", "operation_desc": "Create system object", "ref_gfncalls": [ { "ref_id": "gfn_17", "ref_source": "glog", "ref_type": "gfncall", "type": "reference", "version": 1 } ], "rule_score": 1, "rule_type": "built_in", "rule_version": 1, "technique": "vmray_install_ipc_endpoint", "technique_desc": "Create nameless mutex.", "technique_path": "built_in._process._install_ipc_endpoint.vmray_install_ipc_endpoint", "type": "vti_rule_match", "version": 1 }, { "artifacts": { "files": [], "ips": [], "mutexes": [], "registry": [], "type": "artifacts", "urls": [], "version": 1 }, "category": "_anti_analysis", "category_desc": "Anti Analysis", "operation": "_dynamic_api_usage", "operation_desc": "Dynamic API usage", "ref_gfncalls": [ { "ref_id": "gfn_86", "ref_source": "glog", "ref_type": "gfncall", "type": "reference", "version": 1 } ], "rule_score": 1, "rule_type": "built_in", "rule_version": 1, "technique": "vmray_dynamic_api_usage_by_api", "technique_desc": "Resolve above average number of APIs.", "technique_path": "built_in._anti_analysis._dynamic_api_usage.vmray_dynamic_api_usage_by_api", "type": "vti_rule_match", "version": 1 }, { "artifacts": { "files": [], "ips": [], "mutexes": [], "registry": [], "type": "artifacts", "urls": [], "version": 1 }, "category": "_process", "category_desc": "Process", "operation": "_create_process_with_hidden_window", "operation_desc": "Create process with hidden window", "ref_gfncalls": [ { "ref_id": "gfn_1313", "ref_source": "glog", "ref_type": "gfncall", "type": "reference", "version": 1 } ], "rule_score": 1, "rule_type": "built_in", "rule_version": 1, "technique": "vmray_create_process_with_hidden_window", "technique_desc": "The process \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe\" starts with hidden window.", "technique_path": "built_in._process._create_process_with_hidden_window.vmray_create_process_with_hidden_window", "type": "vti_rule_match", "version": 1 }, { "artifacts": { "files": [], "ips": [], "mutexes": [], "registry": [], "type": "artifacts", "urls": [], "version": 1 }, "category": "_process", "category_desc": "Process", "operation": "_create_executable_page", "operation_desc": "Create a page with write and execute permissions", "ref_gfncalls": [ { "ref_id": "gfn_1325", "ref_source": "glog", "ref_type": "gfncall", "type": "reference", "version": 1 } ], "rule_score": 1, "rule_type": "built_in", "rule_version": 1, "technique": "vmray_allocate_wx_page", "technique_desc": "Allocate a page in a foreign process with \"PAGE_EXECUTE_READWRITE\" permissions, often used to dynamically unpack code.", "technique_path": "built_in._process._create_executable_page.vmray_allocate_wx_page", "type": "vti_rule_match", "version": 1 }, { "artifacts": { "files": [ { "filename": "\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", "hashes": [], "norm_filename": "c:\\windows\\syswow64\\ntdll.dll", "operations": [ "access" ], "type": "file_artifact", "version": 1 } ], "ips": [], "mutexes": [], "registry": [], "type": "artifacts", "urls": [], "version": 1 }, "category": "_file_system", "category_desc": "File System", "operation": "_modify_os_dir", "operation_desc": "Modify operating system directory", "ref_gfncalls": [ { "ref_id": "gfn_1342", "ref_source": "glog", "ref_type": "gfncall", "type": "reference", "version": 1 } ], "rule_score": 1, "rule_type": "built_in", "rule_version": 1, "technique": "vmray_create_file_in_os_dir", "technique_desc": "Create file \"\\??\\C:\\Windows\\SysWOW64\\ntdll.dll\" in the OS directory.", "technique_path": "built_in._file_system._modify_os_dir.vmray_create_file_in_os_dir", "type": "vti_rule_match", "version": 1 }, { "artifacts": { "files": [ { "filename": "\\??\\C:\\Windows\\SysWOW64\\ntdll.dll", "hashes": [], "norm_filename": "c:\\windows\\syswow64\\ntdll.dll", "operations": [ "access" ], "type": "file_artifact", "version": 1 } ], "ips": [], "mutexes": [], "registry": [], "type": "artifacts", "urls": [], "version": 1 }, "category": "_file_system", "category_desc": "File System", "operation": "_modify_os_dir", "operation_desc": "Modify operating system directory", "ref_gfncalls": [ { "ref_id": "gfn_1342", "ref_source": "glog", "ref_type": "gfncall", "type": "reference", "version": 1 } ], "rule_score": 1, "rule_type": "built_in", "rule_version": 1, "technique": "vmray_overwrite_file_in_os_dir", "technique_desc": "Modify file \"\\??\\C:\\Windows\\SysWOW64\\ntdll.dll\" in the OS directory.", "technique_path": "built_in._file_system._modify_os_dir.vmray_overwrite_file_in_os_dir", "type": "vti_rule_match", "version": 1 }, { "artifacts": { "files": [], "ips": [], "mutexes": [], "registry": [], "type": "artifacts", "urls": [], "version": 1 }, "category": "_anti_analysis", "category_desc": "Anti Analysis", "operation": "_detect_kernel_debugger", "operation_desc": "Try to detect kernel debugger", "ref_gfncalls": [ { "ref_id": "gfn_1348", "ref_source": "glog", "ref_type": "gfncall", "type": "reference", "version": 1 } ], "rule_score": 2, "rule_type": "built_in", "rule_version": 1, "technique": "vmray_detect_kernel_debugger_by_api", "technique_desc": "Check via API \"NtQuerySystemInformation\".", "technique_path": "built_in._anti_analysis._detect_kernel_debugger.vmray_detect_kernel_debugger_by_api", "type": "vti_rule_match", "version": 1 }, { "artifacts": { "files": [], "ips": [], "mutexes": [], "registry": [], "type": "artifacts", "urls": [], "version": 1 }, "category": "_anti_analysis", "category_desc": "Anti Analysis", "operation": "_detect_debugger", "operation_desc": "Try to detect debugger", "ref_gfncalls": [ { "ref_id": "gfn_1349", "ref_source": "glog", "ref_type": "gfncall", "type": "reference", "version": 1 } ], "rule_score": 1, "rule_type": "built_in", "rule_version": 1, "technique": "vmray_detect_debugger_by_api", "technique_desc": "Check via API \"NtQueryInformationProcess\".", "technique_path": "built_in._anti_analysis._detect_debugger.vmray_detect_debugger_by_api", "type": "vti_rule_match", "version": 1 }, { "artifacts": { "files": [], "ips": [], "mutexes": [], "registry": [], "type": "artifacts", "urls": [], "version": 1 }, "category": "_injection", "category_desc": "Injection", "operation": "_modify_memory_non_system", "operation_desc": "Write into memory of a process running from a created or modified executable", "ref_gfncalls": [], "rule_score": 1, "rule_type": "built_in", "rule_version": 1, "technique": "vmray_modify_memory", "technique_desc": "\"c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe\" modifies memory of \"c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe\"", "technique_path": "built_in._injection._modify_memory_non_system.vmray_modify_memory", "type": "vti_rule_match", "version": 1 }, { "artifacts": { "files": [], "ips": [], "mutexes": [], "registry": [], "type": "artifacts", "urls": [], "version": 1 }, "category": "_injection", "category_desc": "Injection", "operation": "_modify_control_flow_non_system", "operation_desc": "Modify control flow of a process running from a created or modified executable", "ref_gfncalls": [], "rule_score": 1, "rule_type": "built_in", "rule_version": 1, "technique": "vmray_modify_control_flow_non_system", "technique_desc": "\"c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe\" alters context of \"c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe\"", "technique_path": "built_in._injection._modify_control_flow_non_system.vmray_modify_control_flow_non_system", "type": "vti_rule_match", "version": 1 } ], "vti_rule_type": "Default (PE, ...)", "vti_score": 50 }, "yara": { "apply_yara": true, "apply_yara_on_created_files": true, "apply_yara_on_modified_files": true, "apply_yara_on_pcap_file": true, "apply_yara_on_process_dumps": true, "apply_yara_on_sample_files": true, "match_count": 0, "matches": [], "ruleset_count": 7, "type": "yara", "version": 1 } }