Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 7, 2021, 10:16 a.m.	Nov. 7, 2021, 10:25 a.m.

Size	641.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`39c19b40099fc77f06afe98ddebace2d`
SHA256	`f65a605e05b0dbe8eafdb89b05abf2c94193273b2a53eb1cc53c9f3575b1e26f`
CRC32	`4D01E88A`
ssdeep	`12288:5nZndx1krxFPqBSPt7bQ9k03GxGprGwbKM:9ZdxuQSPt72k034GJGf`
PDB Path	c:\sample exe lego\correctmodel.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

eflairpany.png "C:\Users\test22\AppData\Local\Temp\eflairpany.png"
2344
- wermgr.exe C:\Windows\system32\wermgr.exe
  2472

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
110.172.137.20	Active	Moloch
103.146.232.154	Active	Moloch
103.75.32.173	Active	Moloch
139.255.65.170	Active	Moloch
36.95.23.89	Active	Moloch
36.91.186.235	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 36.91.186.235:443	2404314	ET CNC Feodo Tracker Reported CnC Server group 15	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 103.75.32.173:443	2404301	ET CNC Feodo Tracker Reported CnC Server group 2	A Network Trojan was detected
TCP 192.168.56.103:49170 -> 103.75.32.173:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 192.168.56.103:49169 -> 103.75.32.173:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 103.75.32.173:443 -> 192.168.56.103:49170	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 103.75.32.173:443 -> 192.168.56.103:49169	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49168 -> 103.75.32.173:443	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49168 -> 103.75.32.173:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 139.255.65.170:443 -> 192.168.56.103:49164	2015686	ET POLICY Signed TLS Certificate with md5WithRSAEncryption	Misc activity
TCP 192.168.56.103:49164 -> 139.255.65.170:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 139.255.65.170:443 -> 192.168.56.103:49164	2015686	ET POLICY Signed TLS Certificate with md5WithRSAEncryption	Misc activity
TCP 192.168.56.103:49167 -> 103.146.232.154:443	2404300	ET CNC Feodo Tracker Reported CnC Server group 1	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 103.146.232.154:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 103.146.232.154:443 -> 192.168.56.103:49167	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49164 139.255.65.170:443	ST=none	ST=none	4b:a1:31:ba:f6:c3:4d:30:82:b5:b1:2f:02:e6:f4:15:b1:93:15:aa
TLSv1 192.168.56.103:49167 103.146.232.154:443	C=US, ST=IL, O=Internet Widgits Pty Ltd	C=US, ST=IL, O=Internet Widgits Pty Ltd	92:9c:54:61:4b:3c:f9:b4:92:51:95:d0:aa:d5:6b:b5:51:ab:1d:47

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 7, 2021, 10:16 a.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

c:\sample exe lego\correctmodel.pdb

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ Nov. 7, 2021, 10:16 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd hook_in_monitor+0x45 lde-0x133 @ 0x743a42ea New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x743bf7f3 GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefd7d4190 SvchostPushServiceGlobals+0x471 WinHttpQueryOption-0x1a7b winhttp+0x1eb99 @ 0x7fef8a0eb99 SvchostPushServiceGlobals+0x4fb WinHttpQueryOption-0x19f1 winhttp+0x1ec23 @ 0x7fef8a0ec23 WinHttpConnect+0x1ab WinHttpGetDefaultProxyConfiguration-0x1615 winhttp+0x13fe7 @ 0x7fef8a03fe7 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x770e9a5a registers.r14: 1895368 registers.r15: 854371504 registers.rcx: 0 registers.rsi: 854370944 registers.r10: 0 registers.rbx: 0 registers.rsp: 1894848 registers.r11: 0 registers.r8: 5 registers.r9: 1950668800 registers.rdx: 2 registers.r12: 3329056 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 443	1
__exception__ Nov. 7, 2021, 10:16 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd hook_in_monitor+0x45 lde-0x133 @ 0x743a42ea New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x743bbdb5 0xa42a3 0x1ce078 0x99038 0x1ce0d0 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x770e9a5a registers.r14: 701432 registers.r15: 1895200 registers.rcx: 0 registers.rsi: 1892472 registers.r10: 0 registers.rbx: 854201384 registers.rsp: 1892464 registers.r11: 0 registers.r8: 5 registers.r9: 1950670592 registers.rdx: 2 registers.r12: 1895168 registers.rbp: 0 registers.rdi: 1895192 registers.rax: 1 registers.r13: 1994074992	1
__exception__ Nov. 7, 2021, 10:16 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd hook_in_monitor+0x45 lde-0x133 @ 0x743a42ea New_kernel32_GetTickCount+0x19 New_kernel32_GetTimeZoneInformation-0x76 @ 0x743bc0bf WinHttpCloseHandle-0xbb8 winhttp+0x1728 @ 0x7fef89f1728 WinHttpOpenRequest+0xc68 WinHttpCreateUrl-0x48 winhttp+0x5260 @ 0x7fef89f5260 WinHttpCreateUrl+0xc6 WinHttpSendRequest-0x2162 winhttp+0x536e @ 0x7fef89f536e WinHttpOpenRequest+0x570 WinHttpCreateUrl-0x740 winhttp+0x4b68 @ 0x7fef89f4b68 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x770e9a5a registers.r14: 0 registers.r15: 1892672 registers.rcx: 0 registers.rsi: 3469232 registers.r10: 0 registers.rbx: 0 registers.rsp: 1891584 registers.r11: 0 registers.r8: 5 registers.r9: 1950668544 registers.rdx: 2 registers.r12: 443 registers.rbp: 8 registers.rdi: 0 registers.rax: 1 registers.r13: 3740688	1
__exception__ Nov. 7, 2021, 10:17 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd hook_in_monitor+0x45 lde-0x133 @ 0x743a42ea New_kernel32_GetTickCount+0x19 New_kernel32_GetTimeZoneInformation-0x76 @ 0x743bc0bf WinHttpCloseHandle-0xbb8 winhttp+0x1728 @ 0x7fef89f1728 WinHttpOpenRequest+0xc68 WinHttpCreateUrl-0x48 winhttp+0x5260 @ 0x7fef89f5260 WinHttpCreateUrl+0xc6 WinHttpSendRequest-0x2162 winhttp+0x536e @ 0x7fef89f536e WinHttpOpenRequest+0x570 WinHttpCreateUrl-0x740 winhttp+0x4b68 @ 0x7fef89f4b68 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x770e9a5a registers.r14: 0 registers.r15: 1892672 registers.rcx: 0 registers.rsi: 3478224 registers.r10: 0 registers.rbx: 0 registers.rsp: 1891584 registers.r11: 0 registers.r8: 5 registers.r9: 1950668544 registers.rdx: 2 registers.r12: 443 registers.rbp: 8 registers.rdi: 0 registers.rax: 1 registers.r13: 3802576	1
__exception__ Nov. 7, 2021, 10:17 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd hook_in_monitor+0x45 lde-0x133 @ 0x743a42ea New_kernel32_GetTickCount+0x19 New_kernel32_GetTimeZoneInformation-0x76 @ 0x743bc0bf WinHttpCloseHandle-0xbb8 winhttp+0x1728 @ 0x7fef89f1728 WinHttpOpenRequest+0xc68 WinHttpCreateUrl-0x48 winhttp+0x5260 @ 0x7fef89f5260 WinHttpCreateUrl+0xc6 WinHttpSendRequest-0x2162 winhttp+0x536e @ 0x7fef89f536e WinHttpOpenRequest+0x570 WinHttpCreateUrl-0x740 winhttp+0x4b68 @ 0x7fef89f4b68 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x770e9a5a registers.r14: 0 registers.r15: 1892672 registers.rcx: 0 registers.rsi: 3816336 registers.r10: 0 registers.rbx: 0 registers.rsp: 1891584 registers.r11: 0 registers.r8: 5 registers.r9: 1950668544 registers.rdx: 2 registers.r12: 443 registers.rbp: 8 registers.rdi: 0 registers.rax: 1 registers.r13: 3802912	1
__exception__ Nov. 7, 2021, 10:17 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x743c6d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77121278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x770e9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76ddb5e7 stacktrace+0x1d1 memdup-0x62 @ 0x743b05bd hook_in_monitor+0x45 lde-0x133 @ 0x743a42ea New_kernel32_GetTickCount+0x19 New_kernel32_GetTimeZoneInformation-0x76 @ 0x743bc0bf WinHttpCloseHandle-0xbb8 winhttp+0x1728 @ 0x7fef89f1728 WinHttpOpenRequest+0xc68 WinHttpCreateUrl-0x48 winhttp+0x5260 @ 0x7fef89f5260 WinHttpCreateUrl+0xc6 WinHttpSendRequest-0x2162 winhttp+0x536e @ 0x7fef89f536e WinHttpOpenRequest+0x570 WinHttpCreateUrl-0x740 winhttp+0x4b68 @ 0x7fef89f4b68 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x770e9a5a registers.r14: 0 registers.r15: 1892672 registers.rcx: 0 registers.rsi: 3531888 registers.r10: 0 registers.rbx: 0 registers.rsp: 1891584 registers.r11: 0 registers.r8: 5 registers.r9: 1950668544 registers.rdx: 2 registers.r12: 443 registers.rbp: 8 registers.rdi: 0 registers.rax: 1 registers.r13: 3803584	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET https://139.255.65.170/lib176/TEST22-PC_W617601.04F75BDCBFBEA97F589B337531FD97BF/5/kps/
suspicious_features	Connection to IP address				suspicious_request	GET https://103.146.232.154/lib176/TEST22-PC_W617601.04F75BDCBFBEA97F589B337531FD97BF/5/kps/

Performs some HTTP requests (2 events)

request	GET https://139.255.65.170/lib176/TEST22-PC_W617601.04F75BDCBFBEA97F589B337531FD97BF/5/kps/
request	GET https://103.146.232.154/lib176/TEST22-PC_W617601.04F75BDCBFBEA97F589B337531FD97BF/5/kps/

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2344 region_size: 434176 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2344 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2344 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2344 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2344 region_size: 184320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2021, 10:16 a.m.	process_identifier: 2472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

wermgr.exe tried to sleep 175 seconds, actually delayed analysis time by 175 seconds

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 7, 2021, 10:16 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 7, 2021, 10:16 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Nov. 7, 2021, 10:16 a.m.	status_code: 0x00000000 process_identifier: 2516 process_handle: 0x000000b8		0	0
NtTerminateProcess Nov. 7, 2021, 10:16 a.m.	status_code: 0x00000000 process_identifier: 2516 process_handle: 0x000000b8	1	0	0

Communicates with host for which no DNS query was performed (6 events)

host	110.172.137.20
host	103.146.232.154
host	103.75.32.173
host	139.255.65.170
host	36.95.23.89
host	36.91.186.235

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

36.95.23.89:443

eflairpany.png

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All