Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 27, 2021, 3:29 p.m.	Aug. 27, 2021, 3:44 p.m.

Size	820.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b4e0bc4b97c1ff7dc3964293fd10fa5a`
SHA256	`ed93d5063f6ce2d26f5efe28af3827c9080f577441f044109bc733c3b2f9b738`
CRC32	`82C339F7`
ssdeep	`12288:QPcdp7ByGGLWwJa55I0tP2qood3bfFeGByUZbGkM:QPe7ByG4I37B2qVd3bfkGwX`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet

resizebar.png "C:\Users\test22\AppData\Local\Temp\resizebar.png"
2216
- wermgr.exe C:\Windows\system32\wermgr.exe
  2208
  - svchost.exe C:\Windows\system32\svchost.exe
    1684

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.59.81	34.117.59.81

IP Address	Status	Action
105.27.205.34	Active	Moloch
164.124.101.2	Active	Moloch
179.189.229.254	Active	Moloch
216.166.148.187	Active	Moloch
221.147.172.5	Active	Moloch
34.117.59.81	Active	Moloch
46.99.175.149	Active	Moloch
46.99.188.223	Active	Moloch
65.152.201.203	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49203 -> 46.99.188.223:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 46.99.188.223:443 -> 192.168.56.101:49203	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.101:49207 -> 46.99.175.149:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 46.99.175.149:443 -> 192.168.56.101:49207	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.101:49205 -> 105.27.205.34:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 105.27.205.34:443 -> 192.168.56.101:49205	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.101:49215 -> 221.147.172.5:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49204 -> 34.117.59.81:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.101:49204 -> 34.117.59.81:80	2020716	ET POLICY Possible External IP Lookup ipinfo.io	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49213 -> 179.189.229.254:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 179.189.229.254:443 -> 192.168.56.101:49213	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 221.147.172.5:443 -> 192.168.56.101:49215	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49203 46.99.188.223:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.101:49207 46.99.175.149:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.101:49205 105.27.205.34:443	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	30:21:9a:cd:06:f2:ba:20:f6:0b:3c:54:ec:08:35:d0:9d:4b:e8:50
TLSv1 192.168.56.101:49215 221.147.172.5:443	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	30:21:9a:cd:06:f2:ba:20:f6:0b:3c:54:ec:08:35:d0:9d:4b:e8:50
TLSv1 192.168.56.101:49213 179.189.229.254:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 27, 2021, 3:23 p.m.	computer_name: TEST22-PC	1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Aug. 27, 2021, 3:23 p.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_ntdll_NtOpenFile+0x2b New_ntdll_NtOpenKey-0x1ce @ 0x74432c8b FindFirstFileExW+0x1ee FindFirstFileW-0x2b2 kernelbase+0x592e @ 0x7fefd6d592e FindFirstFileW+0x1c GetFileType-0x44 kernelbase+0x5bfc @ 0x7fefd6d5bfc 0xb341b 0x208d80 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 1994725648 registers.r15: 6 registers.rcx: 1 registers.rsi: 52 registers.r10: 0 registers.rbx: 51 registers.rsp: 1556480 registers.r11: 1 registers.r8: 5 registers.r9: 1951127296 registers.rdx: 2 registers.r12: 0 registers.rbp: 1 registers.rdi: 1557104 registers.rax: 1 registers.r13: 1559324	1
__exception__ Aug. 27, 2021, 3:23 p.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_ntdll_NtFreeVirtualMemory+0x29 New_ntdll_NtGetContextThread-0xf2 @ 0x74431fcf RtlDestroyHandleTable+0x56 RtlRegisterThreadWithCsrss-0xfa ntdll+0x207f6 @ 0x771e07f6 RtlIsDosDeviceName_U+0x137de NtdllDialogWndProc_A-0x1af8e ntdll+0x6d25e @ 0x7722d25e RtlDeNormalizeProcessParams+0x346 CsrAllocateMessagePointer-0x33a ntdll+0x4e256 @ 0x7720e256 RtlAllocateHeap+0xd9d AlpcGetMessageAttribute-0x8c3 ntdll+0x5413d @ 0x7721413d exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 1563452 registers.r15: 1563152 registers.rcx: 11 registers.rsi: 854732240 registers.r10: 0 registers.rbx: 1 registers.rsp: 1563056 registers.r11: 11 registers.r8: 5 registers.r9: 1951131136 registers.rdx: 2 registers.r12: 1563160 registers.rbp: 11 registers.rdi: 854732864 registers.rax: 1 registers.r13: 1	1
__exception__ Aug. 27, 2021, 3:24 p.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x7442fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd703096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd7030d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x76e8bbe1 0x9dd4c exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 855047712 registers.r15: 854916640 registers.rcx: 24 registers.rsi: 3 registers.r10: 0 registers.rbx: 3 registers.rsp: 1561224 registers.r11: -128 registers.r8: 3 registers.r9: 1951132416 registers.rdx: 3 registers.r12: 40 registers.rbp: 0 registers.rdi: 1561616 registers.rax: 4 registers.r13: 0	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 27, 2021, 3:23 p.m.

stacktrace:

RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
hook_in_monitor+0x45 lde-0x133 @ 0x744142ea
New_ntdll_NtOpenFile+0x2b New_ntdll_NtOpenKey-0x1ce @ 0x74432c8b
FindFirstFileExW+0x1ee FindFirstFileW-0x2b2 kernelbase+0x592e @ 0x7fefd6d592e
FindFirstFileW+0x1c GetFileType-0x44 kernelbase+0x5bfc @ 0x7fefd6d5bfc
0xb341b
0x208d80

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x771d9a5a
registers.r14: 1994725648
registers.r15: 6
registers.rcx: 1
registers.rsi: 52
registers.r10: 0
registers.rbx: 51
registers.rsp: 1556480
registers.r11: 1
registers.r8: 5
registers.r9: 1951127296
registers.rdx: 2
registers.r12: 0
registers.rbp: 1
registers.rdi: 1557104
registers.rax: 1
registers.r13: 1559324

__exception__

Aug. 27, 2021, 3:23 p.m.

stacktrace:

RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
hook_in_monitor+0x45 lde-0x133 @ 0x744142ea
New_ntdll_NtFreeVirtualMemory+0x29 New_ntdll_NtGetContextThread-0xf2 @ 0x74431fcf
RtlDestroyHandleTable+0x56 RtlRegisterThreadWithCsrss-0xfa ntdll+0x207f6 @ 0x771e07f6
RtlIsDosDeviceName_U+0x137de NtdllDialogWndProc_A-0x1af8e ntdll+0x6d25e @ 0x7722d25e
RtlDeNormalizeProcessParams+0x346 CsrAllocateMessagePointer-0x33a ntdll+0x4e256 @ 0x7720e256
RtlAllocateHeap+0xd9d AlpcGetMessageAttribute-0x8c3 ntdll+0x5413d @ 0x7721413d

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x771d9a5a
registers.r14: 1563452
registers.r15: 1563152
registers.rcx: 11
registers.rsi: 854732240
registers.r10: 0
registers.rbx: 1
registers.rsp: 1563056
registers.r11: 11
registers.r8: 5
registers.r9: 1951131136
registers.rdx: 2
registers.r12: 1563160
registers.rbp: 11
registers.rdi: 854732864
registers.rax: 1
registers.r13: 1

__exception__

Aug. 27, 2021, 3:24 p.m.

stacktrace:

RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
hook_in_monitor+0x45 lde-0x133 @ 0x744142ea
New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x7442fc86
VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd703096
VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd7030d6
VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x76e8bbe1
0x9dd4c

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x771d9a5a
registers.r14: 855047712
registers.r15: 854916640
registers.rcx: 24
registers.rsi: 3
registers.r10: 0
registers.rbx: 3
registers.rsp: 1561224
registers.r11: -128
registers.r8: 3
registers.r9: 1951132416
registers.rdx: 3
registers.r12: 40
registers.rbp: 0
registers.rdi: 1561616
registers.rax: 4
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (18 events)

suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/z1RfvZD1vvtrtJVrhxtnnRnLXLxp397/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/path/C:%5CUsers%5Ctest22%5CAppData%5CLocal%5CTemp%5Cresizebar.png/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://105.27.205.34/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/5/pwgrabb64/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.149/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.149/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/nV95LdBjzHxVvvN9bbjL1B91hj9f3TTl/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.149/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.149/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://46.99.175.149/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/AHvzHrFQV1MQSv8aoTWrUcl1PKGXJRyJ/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/10/62/UPAVJRPOIHULLMOEWW/7/

Performs some HTTP requests (19 events)

request	GET http://ipinfo.io/ip
request	GET https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/5/file/
request	GET https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/z1RfvZD1vvtrtJVrhxtnnRnLXLxp397/
request	GET https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
request	GET https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/user/test22/0/
request	GET https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/path/C:%5CUsers%5Ctest22%5CAppData%5CLocal%5CTemp%5Cresizebar.png/0/
request	GET https://46.99.188.223/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://105.27.205.34/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/5/pwgrabb64/
request	GET https://46.99.175.149/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/5/file/
request	GET https://46.99.175.149/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/nV95LdBjzHxVvvN9bbjL1B91hj9f3TTl/
request	GET https://46.99.175.149/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
request	GET https://46.99.175.149/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/user/test22/0/
request	GET https://46.99.175.149/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/5/file/
request	GET https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/AHvzHrFQV1MQSv8aoTWrUcl1PKGXJRyJ/
request	GET https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
request	GET https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/user/test22/0/
request	GET https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://179.189.229.254/lip119/TEST22-PC_W617601.71D63B35517F706F733851BC2CBBF3A3/10/62/UPAVJRPOIHULLMOEWW/7/

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 27, 2021, 3:29 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cb2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:29 p.m.	process_identifier: 2216 region_size: 249856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02120000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 27, 2021, 3:29 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:29 p.m.	process_identifier: 2216 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:29 p.m.	process_identifier: 2216 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:29 p.m.	process_identifier: 2216 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:30 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02160000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:30 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:30 p.m.	process_identifier: 2216 region_size: 180224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:22 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

wermgr.exe tried to sleep 129 seconds, actually delayed analysis time by 129 seconds

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\svchost.exe
cmdline	C:\Windows\system32\cmd.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 622592 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000180001000 process_handle: 0x00000000000003f4	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 27, 2021, 3:23 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 27, 2021, 3:23 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess Aug. 27, 2021, 3:30 p.m.	status_code: 0x00000000 process_identifier: 1836 process_handle: 0x00000110
NtTerminateProcess Aug. 27, 2021, 3:30 p.m.	status_code: 0x00000000 process_identifier: 1836 process_handle: 0x00000110	1
NtTerminateProcess Aug. 27, 2021, 3:24 p.m.	status_code: 0x00000000 process_identifier: 2768 process_handle: 0x0000000000000414
NtTerminateProcess Aug. 27, 2021, 3:24 p.m.	status_code: 0x00000000 process_identifier: 2768 process_handle: 0x0000000000000414	1

Communicates with host for which no DNS query was performed (7 events)

host	105.27.205.34
host	179.189.229.254
host	216.166.148.187
host	221.147.172.5
host	46.99.175.149
host	46.99.188.223
host	65.152.201.203

Allocates execute permission to another process indicative of possible code injection (50 out of 267 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 790528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1

Potential code injection by writing to the memory of another process (50 out of 399 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWkGXGD$\D$\øGuWHw`HkFHD$PHD$PH=u\HFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëpD$\=Ã3ÀéZÿÿÿHD$PH=«uPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PHø9uLF HNHVÿëÌÿëÈHD$PHøuHNÿëµHD$PHø&IÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HÇHOÿW(HÇG3ÉÿW83ÀHå[_^A^]ÃÌÌÌÌÌÌUVHì(Hl$ HäðHuPHöt@HEHM@HVpLFxLÉHHH¶HNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000090000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: H¹H¸ ÿà base_address: 0x00000000ff2c246c process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: VERSION.dll base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: oåvG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: GetFileVersionInfoA base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævxüþG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: VerQueryValueA base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævxüþG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: GetFileVersionInfoSizeA base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævxüþG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: KERNEL32.dll base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: oåvG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: GetLastError base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævävG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: HeapFree base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævävG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: HeapSize base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævävG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: HeapReAlloc base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævävG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: HeapAlloc base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævävG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: GetProcessHeap base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævävG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: lstrlenA base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævävG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: lstrcpyA base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævävG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: EnterCriticalSection base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævävG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: LeaveCriticalSection base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævävG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: InitializeCriticalSection base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævävG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2208 resumed a thread in remote process 1684
NtResumeThread Aug. 27, 2021, 3:24 p.m.	thread_handle: 0x0000000000000404 suspend_count: 1 process_identifier: 1684	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 684 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 27, 2021, 3:29 p.m.	thread_identifier: 2384 thread_handle: 0x00000108 process_identifier: 2208 current_directory: C:\Windows\system32 filepath: track: 1 command_line: C:\Windows\system32\wermgr.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x0000010c	1	1
CreateProcessInternalW Aug. 27, 2021, 3:30 p.m.	thread_identifier: 3016 thread_handle: 0x00000114 process_identifier: 1836 current_directory: C:\Windows\system32 filepath: track: 1 command_line: C:\Windows\system32\cmd.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000110	1	1
CreateProcessInternalW Aug. 27, 2021, 3:24 p.m.	thread_identifier: 872 thread_handle: 0x0000000000000404 process_identifier: 1684 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWkGXGD$\D$\øGuWHw`HkFHD$PHD$PH=u\HFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëpD$\=Ã3ÀéZÿÿÿHD$PH=«uPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PHø9uLF HNHVÿëÌÿëÈHD$PHøuHNÿëµHD$PHø&IÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HÇHOÿW(HÇG3ÉÿW83ÀHå[_^A^]ÃÌÌÌÌÌÌUVHì(Hl$ HäðHuPHöt@HEHM@HVpLFxLÉHHH¶HNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000090000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: H¹H¸ ÿà base_address: 0x00000000ff2c246c process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtResumeThread Aug. 27, 2021, 3:24 p.m.	thread_handle: 0x0000000000000404 suspend_count: 1 process_identifier: 1684	1	0
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 790528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000180000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000000003f4	1	0
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: VERSION.dll base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: oåvG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: GetFileVersionInfoA base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævxüþG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: VerQueryValueA base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævxüþG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: GetFileVersionInfoSizeA base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævxüþG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: KERNEL32.dll base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: oåvG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: GetLastError base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævävG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: HeapFree base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævävG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwH base_address: 0x0000000000120000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: HeapSize base_address: 0x0000000000470000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1
NtAllocateVirtualMemory Aug. 27, 2021, 3:24 p.m.	process_identifier: 1684 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f4	1	0
WriteProcessMemory Aug. 27, 2021, 3:24 p.m.	buffer: 6ævävG base_address: 0x0000000000480000 process_identifier: 1684 process_handle: 0x00000000000003f4	1	1

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	65.152.201.203:443
dead_host	216.166.148.187:443

resizebar.png

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All