Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 28, 2022, 5:05 p.m.	Sept. 28, 2022, 5:10 p.m.

Size	426.9KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`62a4aa621e034dbdaaf2bef8f5a4aef0`
SHA256	`b239b5d05aba2f98cbc955c1b88884495db53f5b3a3381b94db1aa76e3ed67a1`
CRC32	`99BA156F`
ssdeep	`12288:nOYO68aew0lMKTKK4KKDyK5FZ1EEEEmEEE1EEEEEEEEEEElKK1KKK1KKK7:NOb2KTKK4KKDyK5FZ1EEEEmEEE1EEEEE`
PDB Path	D:\project\a27aeb8e-ae9f-47c1-97c7-fe33e574439f\windowsproject\Bin\windowsproject.pdb
Yara	OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals IsPE64 - (no description)

dingding.exe "C:\Users\test22\AppData\Local\Temp\dingding.exe"
2524

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 28, 2022, 5:05 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

D:\project\a27aeb8e-ae9f-47c1-97c7-fe33e574439f\windowsproject\Bin\windowsproject.pdb

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 28, 2022, 5:05 p.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd hook_in_monitor+0x45 lde-0x133 @ 0x739742ea New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x7398f7f3 GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefd4f4190 0x252f29c GetFullPathNameA+0x20 GetModuleHandleW-0xa0 kernel32+0x23690 @ 0x76c33690 GetFullPathNameA+0x20 GetModuleHandleW-0xa0 kernel32+0x23690 @ 0x76c33690 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x76d49a5a registers.r14: 7597679706857041993 registers.r15: 1992454256 registers.rcx: 0 registers.rsi: 38984896 registers.r10: 0 registers.rbx: 1992504976 registers.rsp: 38984840 registers.r11: -64 registers.r8: 5 registers.r9: 5368639488 registers.rdx: 2 registers.r12: 0 registers.rbp: 0 registers.rdi: 38984880 registers.rax: 1 registers.r13: 1819042862	1	0	0
__exception__ Sept. 28, 2022, 5:05 p.m.	stacktrace: RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 @ 0x76d48df5 New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd hook_in_monitor+0x45 lde-0x133 @ 0x739742ea New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x7398f7f3 GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefd4f4190 exception.instruction_r: 49 8b 00 4a 89 84 cc 58 01 00 00 4c 8b 84 24 78 exception.symbol: RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 exception.instruction: mov rax, qword ptr [r8] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 101877 exception.address: 0x76d48df5 registers.r14: 7597679706857041993 registers.r15: 1992454256 registers.rcx: 0 registers.rsi: 38984896 registers.r10: 0 registers.rbx: 1992504976 registers.rsp: 38984816 registers.r11: 5368639488 registers.r8: 0 registers.r9: 5 registers.rdx: 1993539584 registers.r12: 0 registers.rbp: 0 registers.rdi: 38984880 registers.rax: 1 registers.r13: 1819042862	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 28, 2022, 5:05 p.m.

stacktrace:

RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
hook_in_monitor+0x45 lde-0x133 @ 0x739742ea
New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x7398f7f3
GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefd4f4190
0x252f29c
GetFullPathNameA+0x20 GetModuleHandleW-0xa0 kernel32+0x23690 @ 0x76c33690
GetFullPathNameA+0x20 GetModuleHandleW-0xa0 kernel32+0x23690 @ 0x76c33690

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x76d49a5a
registers.r14: 7597679706857041993
registers.r15: 1992454256
registers.rcx: 0
registers.rsi: 38984896
registers.r10: 0
registers.rbx: 1992504976
registers.rsp: 38984840
registers.r11: -64
registers.r8: 5
registers.r9: 5368639488
registers.rdx: 2
registers.r12: 0
registers.rbp: 0
registers.rdi: 38984880
registers.rax: 1
registers.r13: 1819042862

__exception__

Sept. 28, 2022, 5:05 p.m.

stacktrace:

RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 @ 0x76d48df5
New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x739805bd
hook_in_monitor+0x45 lde-0x133 @ 0x739742ea
New_ntdll_LdrGetProcedureAddress+0x43 New_ntdll_LdrLoadDll-0x156 @ 0x7398f7f3
GetProcAddress+0x60 GetModuleHandleA-0x80 kernelbase+0x4190 @ 0x7fefd4f4190

exception.instruction_r: 49 8b 00 4a 89 84 cc 58 01 00 00 4c 8b 84 24 78
exception.symbol: RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5
exception.instruction: mov rax, qword ptr [r8]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 101877
exception.address: 0x76d48df5
registers.r14: 7597679706857041993
registers.r15: 1992454256
registers.rcx: 0
registers.rsi: 38984896
registers.r10: 0
registers.rbx: 1992504976
registers.rsp: 38984816
registers.r11: 5368639488
registers.r8: 0
registers.r9: 5
registers.rdx: 1993539584
registers.r12: 0
registers.rbp: 0
registers.rdi: 38984880
registers.rax: 1
registers.r13: 1819042862

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 28, 2022, 5:05 p.m.	process_identifier: 2524 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000252e000 process_handle: 0xffffffffffffffff	1	0	0
NtProtectVirtualMemory Sept. 28, 2022, 5:05 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

dingding.exe tried to sleep 1165 seconds, actually delayed analysis time by 0 seconds

Foreign language identified in PE resource (4 events)

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006ab30

size

0x00000050

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006ab80

size

0x00000130

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006acb0

size

0x00000058

name

RT_ACCELERATOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006ad08

size

0x00000010

DEP was bypassed by marking part of the stack executable by the process dingding.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 28, 2022, 5:05 p.m.	process_identifier: 2524 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000252e000 process_handle: 0xffffffffffffffff	1	0	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Cynet	Malicious (score: 99)
McAfee	Artemis!62A4AA621E03
Malwarebytes	Trojan.ShellCode
Sangfor	Backdoor.Win64.Rozena.Vy04
BitDefender	DeepScan:Generic.Exploit.Shellcode.2.94BC972D
Arcabit	DeepScan:Generic.Exploit.Shellcode.2.94BC972D
Cyren	W64/ABTrojan.IHFW-7488
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win64/Rozena.SK
TrendMicro-HouseCall	TROJ_GEN.R002H0DIK22
Paloalto	generic.ml
Kaspersky	Backdoor.Win32.Cobalt.cde
Alibaba	Trojan:Win64/Rozena.4cb228d3
MicroWorld-eScan	DeepScan:Generic.Exploit.Shellcode.2.94BC972D
APEX	Malicious
Rising	Trojan.Rozena!8.6D (TFE:5:uMmeEKArToU)
Ad-Aware	DeepScan:Generic.Exploit.Shellcode.2.94BC972D
Sophos	Mal/Generic-S
DrWeb	BackDoor.Meterpreter.157
VIPRE	DeepScan:Generic.Exploit.Shellcode.2.94BC972D
McAfee-GW-Edition	Artemis!Trojan
FireEye	DeepScan:Generic.Exploit.Shellcode.2.94BC972D
Emsisoft	DeepScan:Generic.Exploit.Shellcode.2.94BC972D (B)
Ikarus	Trojan.Win64.Rozena
Webroot	W32.Trojan.Gen
Avira	TR/AD.PatchedWinSwrort.lpmee
Antiy-AVL	Trojan/Generic.ASMalwS.3BFF
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	DeepScan:Generic.Exploit.Shellcode.2.94BC972D
Google	Detected
ALYac	DeepScan:Generic.Exploit.Shellcode.2.94BC972D
MAX	malware (ai score=100)
Cylance	Unsafe
Avast	Win64:TrojanX-gen [Trj]
Tencent	Win32.Backdoor.Cobalt.Aplw
Yandex	Trojan.Rozena!hV8nkBVTSYY
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	W64/Rozena.SK!tr
AVG	Win64:TrojanX-gen [Trj]
Panda	Trj/Chgt.AD

dingding.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All