Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 19, 2021, 7:05 p.m.	Aug. 19, 2021, 7:12 p.m.

Size	616.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`1ad0ef26e95163677b3dc9cc45a707c1`
SHA256	`6c55126eb5ebfbf3bcdac310a44fe3debeabec192689e4706a377f0fcbb26d97`
CRC32	`A53FAE4E`
ssdeep	`6144:V36DZgMzpJiY3X0uv10eqya+Ibi1vEu5OhVVIfbgfaadGvJANrINK7uEgVM1E7Iz:VgZhriY3XzdaukGKT7uE+B7Irv9Ojx4`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\rob122DzjsdFA.dll,hgfhgdhgdh
568
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\rob122DzjsdFA.dll,hgfhgdhgdh1
360
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\rob122DzjsdFA.dll,hgfhgdhgdh2
1628
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\rob122DzjsdFA.dll,hgfhgdhgdh3
1376
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\rob122DzjsdFA.dll,klust
2320
- wermgr.exe C:\Windows\system32\wermgr.exe
  2712
  - svchost.exe C:\Windows\system32\svchost.exe
    2480
  - svchost.exe C:\Windows\system32\svchost.exe
    2828
  - svchost.exe C:\Windows\system32\svchost.exe
    1624
  - svchost.exe C:\Windows\system32\svchost.exe
    2080
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\rob122DzjsdFA.dll,
2760

Name	Response	Post-Analysis Lookup
icanhazip.com	A 104.18.7.156 A 104.18.6.156	104.18.6.156
150.134.208.175.b.barracudacentral.org	A 127.0.0.2	127.0.0.2
150.134.208.175.zen.spamhaus.org
150.134.208.175.cbl.abuseat.org

IP Address	Status	Action
104.18.7.156	Active	Moloch
164.124.101.2	Active	Moloch
179.189.229.254	Active	Moloch
181.129.167.82	Active	Moloch
182.253.210.130	Active	Moloch
216.166.148.187	Active	Moloch
221.147.172.5	Active	Moloch
46.99.175.149	Active	Moloch
46.99.175.217	Active	Moloch
5.152.175.57	Active	Moloch
62.99.79.77	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49170 -> 46.99.175.217:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 46.99.175.217:443 -> 192.168.56.102:49170	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49175 -> 181.129.167.82:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49176 -> 5.152.175.57:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 181.129.167.82:443 -> 192.168.56.102:49175	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 5.152.175.57:443 -> 192.168.56.102:49176	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49172 -> 182.253.210.130:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49180 -> 221.147.172.5:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 182.253.210.130:443 -> 192.168.56.102:49172	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 221.147.172.5:443 -> 192.168.56.102:49180	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49184 -> 179.189.229.254:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 179.189.229.254:443 -> 192.168.56.102:49184	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49185 -> 182.253.210.130:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 182.253.210.130:443 -> 192.168.56.102:49185	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49171 -> 104.18.7.156:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.102:49179 -> 46.99.175.149:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.102:49171 -> 104.18.7.156:80	2017398	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)	Attempted Information Leak
TCP 46.99.175.149:443 -> 192.168.56.102:49179	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49170 46.99.175.217:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49175 181.129.167.82:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49176 5.152.175.57:443	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	30:21:9a:cd:06:f2:ba:20:f6:0b:3c:54:ec:08:35:d0:9d:4b:e8:50
TLSv1 192.168.56.102:49172 182.253.210.130:443	C=US, ST=IL, O=Internet Widgits Pty Ltd	C=US, ST=IL, O=Internet Widgits Pty Ltd	92:9c:54:61:4b:3c:f9:b4:92:51:95:d0:aa:d5:6b:b5:51:ab:1d:47
TLSv1 192.168.56.102:49180 221.147.172.5:443	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	30:21:9a:cd:06:f2:ba:20:f6:0b:3c:54:ec:08:35:d0:9d:4b:e8:50
TLSv1 192.168.56.102:49184 179.189.229.254:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.102:49185 182.253.210.130:443	C=US, ST=IL, O=Internet Widgits Pty Ltd	C=US, ST=IL, O=Internet Widgits Pty Ltd	92:9c:54:61:4b:3c:f9:b4:92:51:95:d0:aa:d5:6b:b5:51:ab:1d:47
TLSv1 192.168.56.102:49179 46.99.175.149:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 19, 2021, 6:58 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 19, 2021, 7:05 p.m.			0	0
IsDebuggerPresent Aug. 19, 2021, 7:05 p.m.			0	0
IsDebuggerPresent Aug. 19, 2021, 7:05 p.m.			0	0
IsDebuggerPresent Aug. 19, 2021, 7:05 p.m.			0	0
IsDebuggerPresent Aug. 19, 2021, 7:05 p.m.			0	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ Aug. 19, 2021, 6:58 p.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd hook_in_monitor+0x45 lde-0x133 @ 0x74e642ea New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x74e7f7f3 GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefde34190 SvchostPushServiceGlobals+0x471 WinHttpQueryOption-0x1a7b winhttp+0x1eb99 @ 0x7fef89aeb99 SvchostPushServiceGlobals+0x4fb WinHttpQueryOption-0x19f1 winhttp+0x1ec23 @ 0x7fef89aec23 WinHttpConnect+0x1ab WinHttpGetDefaultProxyConfiguration-0x1615 winhttp+0x13fe7 @ 0x7fef89a3fe7 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x77919a5a registers.r14: 1998728048 registers.r15: 34476953 registers.rcx: 0 registers.rsi: 852701584 registers.r10: 0 registers.rbx: 0 registers.rsp: 2353920 registers.r11: 0 registers.r8: 5 registers.r9: 1961940992 registers.rdx: 2 registers.r12: 2804720 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 443	1
__exception__ Aug. 19, 2021, 6:58 p.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd hook_in_monitor+0x45 lde-0x133 @ 0x74e642ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x74e7fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefde63096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefde630d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x7724bbe1 0xa0d5c exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x77919a5a registers.r14: 852691152 registers.r15: 852691072 registers.rcx: 24 registers.rsi: 3 registers.r10: 0 registers.rbx: 3 registers.rsp: 2349496 registers.r11: -128 registers.r8: 3 registers.r9: 1961945856 registers.rdx: 3 registers.r12: 40 registers.rbp: 0 registers.rdi: 2349888 registers.rax: 4 registers.r13: 0	1
__exception__ Aug. 19, 2021, 6:58 p.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd hook_in_monitor+0x45 lde-0x133 @ 0x74e642ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x74e7fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefde63096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefde630d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x7724bbe1 0xa0d5c exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x77919a5a registers.r14: 852691152 registers.r15: 852975376 registers.rcx: 24 registers.rsi: 3 registers.r10: 0 registers.rbx: 3 registers.rsp: 2349496 registers.r11: -128 registers.r8: 3 registers.r9: 1961945856 registers.rdx: 3 registers.r12: 40 registers.rbp: 0 registers.rdi: 2349888 registers.rax: 4 registers.r13: 0	1
__exception__ Aug. 19, 2021, 6:59 p.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd hook_in_monitor+0x45 lde-0x133 @ 0x74e642ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x74e7fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefde63096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefde630d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x7724bbe1 0xa0d5c exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x77919a5a registers.r14: 840911728 registers.r15: 852975824 registers.rcx: 24 registers.rsi: 3 registers.r10: 0 registers.rbx: 3 registers.rsp: 2349496 registers.r11: -128 registers.r8: 3 registers.r9: 1961945856 registers.rdx: 3 registers.r12: 40 registers.rbp: 0 registers.rdi: 2349888 registers.rax: 4 registers.r13: 0	1
__exception__ Aug. 19, 2021, 6:59 p.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74e86d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77951278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x77919a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x7724b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x74e705bd hook_in_monitor+0x45 lde-0x133 @ 0x74e642ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x74e7fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefde63096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefde630d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x7724bbe1 0xa0d5c exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x77919a5a registers.r14: 840911728 registers.r15: 852975568 registers.rcx: 24 registers.rsi: 3 registers.r10: 0 registers.rbx: 3 registers.rsp: 2349832 registers.r11: -128 registers.r8: 3 registers.r9: 1961945856 registers.rdx: 3 registers.r12: 40 registers.rbp: 0 registers.rdi: 2350224 registers.rax: 4 registers.r13: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (31 events)

suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/VBrxbxVtzflnZFntVrvDrbhh9DpxNP91/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CArh-CatZZJZJ1%5Cpbrob122DzjsdFAjl.dmo/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.217/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://182.253.210.130/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/pwgrabb64/
suspicious_features	Connection to IP address	suspicious_request	GET https://181.129.167.82/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://181.129.167.82/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/FWOIp5kh3DLMcjCKxTuunRF9rlqyeE/
suspicious_features	Connection to IP address	suspicious_request	GET https://181.129.167.82/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://181.129.167.82/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://181.129.167.82/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://181.129.167.82/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/10/62/WPBOZJHPCMRBXGGRBGT/7/
suspicious_features	Connection to IP address	suspicious_request	GET https://5.152.175.57/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/pwgrabc64/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.149/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.149/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/1H1RppdDhXfj7PjNJdPR9J/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.149/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.149/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.149/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://221.147.172.5/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/pwgrabb64/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/LCK2ejUfmsC9jBPIK/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/10/62/PFDXLJBFTVVVN/7/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/10/62/NLRTJPZNNBPFNPJ/7/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/23/100019/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/DNSBL/listed/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/1/Mjbaz7MK73OqbffW9ilztlcg/
suspicious_features	Connection to IP address	suspicious_request	GET https://182.253.210.130/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/networkDll64/

Performs some HTTP requests (32 events)

request	GET http://icanhazip.com/
request	GET https://46.99.175.217/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/file/
request	GET https://46.99.175.217/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/VBrxbxVtzflnZFntVrvDrbhh9DpxNP91/
request	GET https://46.99.175.217/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
request	GET https://46.99.175.217/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/user/test22/0/
request	GET https://46.99.175.217/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CArh-CatZZJZJ1%5Cpbrob122DzjsdFAjl.dmo/0/
request	GET https://46.99.175.217/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://182.253.210.130/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/pwgrabb64/
request	GET https://181.129.167.82/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/file/
request	GET https://181.129.167.82/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/FWOIp5kh3DLMcjCKxTuunRF9rlqyeE/
request	GET https://181.129.167.82/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
request	GET https://181.129.167.82/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/user/test22/0/
request	GET https://181.129.167.82/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://181.129.167.82/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/10/62/WPBOZJHPCMRBXGGRBGT/7/
request	GET https://5.152.175.57/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/pwgrabc64/
request	GET https://46.99.175.149/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/file/
request	GET https://46.99.175.149/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/1H1RppdDhXfj7PjNJdPR9J/
request	GET https://46.99.175.149/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
request	GET https://46.99.175.149/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/user/test22/0/
request	GET https://46.99.175.149/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://221.147.172.5/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/pwgrabb64/
request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/file/
request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/LCK2ejUfmsC9jBPIK/
request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/exc/E:%200xc0000005%20A:%200x0000000077919A5A/0/
request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/user/test22/0/
request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/10/62/PFDXLJBFTVVVN/7/
request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/10/62/NLRTJPZNNBPFNPJ/7/
request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/23/100019/
request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/14/DNSBL/listed/0/
request	GET https://179.189.229.254/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/1/Mjbaz7MK73OqbffW9ilztlcg/
request	GET https://182.253.210.130/rob122/TEST22-PC_W617601.3C3E558CBB3B7297799633BDCDF191BB/5/networkDll64/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 52 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1003d000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f81000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f10000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73791000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e22000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1003d000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f81000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f10000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73791000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e22000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1003d000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e81000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e82000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e61000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1003d000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f81000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f10000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73791000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e22000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1003d000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737d1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e41000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737d2000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e21000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73721000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73701000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

wermgr.exe tried to sleep 126 seconds, actually delayed analysis time by 126 seconds

Looks up the external IP address (1 event)

domain

icanhazip.com

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\cmd.exe
cmdline	C:\Windows\system32\svchost.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 19, 2021, 7:05 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00931000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 19, 2021, 6:58 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0003f000', u'virtual_address': u'0x00054000', u'entropy': 7.7896979398010675, u'name': u'.rsrc', u'virtual_size': u'0x0003e460'}

entropy

7.7896979398

description

A section with a high entropy has been found

entropy

0.411764705882

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 19, 2021, 6:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (32 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (8 events)

Time & API	Arguments	Status
NtTerminateProcess Aug. 19, 2021, 7:05 p.m.	status_code: 0x00000000 process_identifier: 2364 process_handle: 0x00000118
NtTerminateProcess Aug. 19, 2021, 7:05 p.m.	status_code: 0x00000000 process_identifier: 2364 process_handle: 0x00000118	1
NtTerminateProcess Aug. 19, 2021, 6:58 p.m.	status_code: 0x00000000 process_identifier: 1808 process_handle: 0x000000000000040c
NtTerminateProcess Aug. 19, 2021, 6:58 p.m.	status_code: 0x00000000 process_identifier: 1808 process_handle: 0x000000000000040c	1
NtTerminateProcess Aug. 19, 2021, 6:59 p.m.	status_code: 0x00000000 process_identifier: 1516 process_handle: 0x000000000000044c
NtTerminateProcess Aug. 19, 2021, 6:59 p.m.	status_code: 0x00000000 process_identifier: 1516 process_handle: 0x000000000000044c	1
NtTerminateProcess Aug. 19, 2021, 6:59 p.m.	status_code: 0x00000000 process_identifier: 2556 process_handle: 0x0000000000000444
NtTerminateProcess Aug. 19, 2021, 6:59 p.m.	status_code: 0x00000000 process_identifier: 2556 process_handle: 0x0000000000000444	1

Communicates with host for which no DNS query was performed (9 events)

host	179.189.229.254
host	181.129.167.82
host	182.253.210.130
host	216.166.148.187
host	221.147.172.5
host	46.99.175.149
host	46.99.175.217
host	5.152.175.57
host	62.99.79.77

Allocates execute permission to another process indicative of possible code injection (50 out of 839 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 774144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1

Potential code injection by writing to the memory of another process (50 out of 1263 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWkGX D$\D$\ø uWHw`HkFHD$PHD$PH=u\HFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëpD$\øÅ3Àé\ÿÿÿHD$PH=«uPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PHø9uLF HNHVÿëÌÿëÈHD$PHøuHNÿëµHD$PHø&GÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HÇHOÿW(HÇG3ÉÿW83ÀHå[_^A^]ÃÌÌÌÌÌÌUVHì(Hl$ HäðHuPHöt@HEHM@HVpLFxLÉHHH¶HNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000090000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: H¹ H¸ ÿà base_address: 0x00000000ff42246c process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: VERSION.dll base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: o!w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: GetFileVersionInfoA base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"wìüþ6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: VerQueryValueA base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"wìüþ6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: GetFileVersionInfoSizeA base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"wìüþ6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: KERNEL32.dll base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: o!w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: GetLastError base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"w w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: HeapFree base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"w w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: HeapSize base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"w w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: HeapReAlloc base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"w w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: HeapAlloc base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"w w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: GetProcessHeap base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"w w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: lstrlenA base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"w w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: lstrcpyA base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"w w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: EnterCriticalSection base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"w w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: LeaveCriticalSection base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"w w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: InitializeCriticalSection base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"w w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Elastic	malicious (high confidence)
McAfee	Artemis!1AD0EF26E951
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
ESET-NOD32	a variant of Generik.ILZIDPF
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	UDS:Trojan.Win32.Trickpak.gen
Sophos	ML/PE-A
McAfee-GW-Edition	BehavesLike.Win32.Emotet.jc
FireEye	Generic.mg.1ad0ef26e9516367
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Malware.Gen
Kingsoft	Win32.Troj.Undef.(kcloud)
ZoneAlarm	UDS:DangerousObject.Multi.Generic

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2712 resumed a thread in remote process 2480
Process injection	Process 2712 resumed a thread in remote process 2828
Process injection	Process 2712 resumed a thread in remote process 1624
Process injection	Process 2712 resumed a thread in remote process 2080
NtResumeThread Aug. 19, 2021, 6:58 p.m.	thread_handle: 0x00000000000003e8 suspend_count: 1 process_identifier: 2480	1	0	0
NtResumeThread Aug. 19, 2021, 6:58 p.m.	thread_handle: 0x000000000000041c suspend_count: 1 process_identifier: 2828	1	0	0
NtResumeThread Aug. 19, 2021, 6:59 p.m.	thread_handle: 0x0000000000000428 suspend_count: 1 process_identifier: 1624	1	0	0
NtResumeThread Aug. 19, 2021, 6:59 p.m.	thread_handle: 0x0000000000000450 suspend_count: 1 process_identifier: 2080	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 2162 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 19, 2021, 7:05 p.m.	thread_identifier: 2452 thread_handle: 0x00000114 process_identifier: 2364 current_directory: C:\Windows\system32 filepath: track: 1 command_line: C:\Windows\system32\cmd.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000118	1	1
CreateProcessInternalW Aug. 19, 2021, 7:05 p.m.	thread_identifier: 2980 thread_handle: 0x00000118 process_identifier: 2712 current_directory: C:\Windows\system32 filepath: track: 1 command_line: C:\Windows\system32\wermgr.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000114	1	1
CreateProcessInternalW Aug. 19, 2021, 6:58 p.m.	thread_identifier: 1428 thread_handle: 0x00000000000003e8 process_identifier: 2480 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWkGX D$\D$\ø uWHw`HkFHD$PHD$PH=u\HFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëpD$\øÅ3Àé\ÿÿÿHD$PH=«uPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PHø9uLF HNHVÿëÌÿëÈHD$PHøuHNÿëµHD$PHø&GÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HÇHOÿW(HÇG3ÉÿW83ÀHå[_^A^]ÃÌÌÌÌÌÌUVHì(Hl$ HäðHuPHöt@HEHM@HVpLFxLÉHHH¶HNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000090000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: H¹ H¸ ÿà base_address: 0x00000000ff42246c process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtResumeThread Aug. 19, 2021, 6:58 p.m.	thread_handle: 0x00000000000003e8 suspend_count: 1 process_identifier: 2480	1	0
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 774144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000180000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000000003f4	1	0
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: VERSION.dll base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: o!w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: GetFileVersionInfoA base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"wìüþ6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: VerQueryValueA base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"wìüþ6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: GetFileVersionInfoSizeA base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"wìüþ6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: KERNEL32.dll base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: o!w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: GetLastError base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"w w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: HeapFree base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"w w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: ,'w +"w/"w Ù wð@wÀ/w0ww7 base_address: 0x00000000000a0000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: HeapSize base_address: 0x0000000000360000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 19, 2021, 6:58 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 19, 2021, 6:58 p.m.	buffer: 6"w w6 base_address: 0x0000000000370000 process_identifier: 2480 process_handle: 0x00000000000003f4	1	1

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	216.166.148.187:443
dead_host	62.99.79.77:443

rob122DzjsdFA.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All