Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 30, 2021, 10:47 a.m.	March 30, 2021, 10:50 a.m.

Size	396.1KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`35994b0f330dac6e145ebed16e77ddec`
SHA256	`aa40f9dd1212993f79cc23111de3a8dd5e529dd1a8ca5dceaa30fba53f6f96b4`
CRC32	`71FDBAF7`
ssdeep	`6144:tDYZ57TsVxGVmpMbj8RCUoKaiYYFJLPwhC3Jp4BdXq7zDc9JTz:tkvTYxqCcj8RC9FLYFhPwiJpZUTz`
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero screenshot - Take screenshot win_files_operation - Affect private profile IsPE32 - (no description) IsDLL - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\count.php.dll,StartW
8052
- wermgr.exe C:\Windows\system32\wermgr.exe
  8780
  - cmd.exe C:\Windows\system32\cmd.exe
    7552
  - cmd.exe C:\Windows\system32\cmd.exe
    6552
  - cmd.exe C:\Windows\system32\cmd.exe
    7304
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\count.php.dll,
3532

Name	Response	Post-Analysis Lookup
150.134.208.175.b.barracudacentral.org	A 127.0.0.2	127.0.0.2
150.134.208.175.zen.spamhaus.org
wtfismyip.com	A 95.217.228.176	95.217.228.176
150.134.208.175.cbl.abuseat.org

IP Address	Status	Action
103.26.251.214	Active	Moloch
12.158.156.51	Active	Moloch
137.27.167.58	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
24.182.101.64	Active	Moloch
45.164.80.94	Active	Moloch
67.212.241.127	Active	Moloch
67.79.117.70	Active	Moloch
72.180.57.176	Active	Moloch
75.87.15.158	Active	Moloch
95.217.228.176	Active	Moloch
98.6.170.206	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49814 -> 72.180.57.176:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 72.180.57.176:443 -> 192.168.56.102:49814	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49823 -> 45.164.80.94:447	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 45.164.80.94:447 -> 192.168.56.102:49823	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49815 -> 75.87.15.158:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 75.87.15.158:443 -> 192.168.56.102:49815	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49821 -> 67.79.117.70:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 67.79.117.70:443 -> 192.168.56.102:49821	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49818 -> 98.6.170.206:447	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 98.6.170.206:447 -> 192.168.56.102:49818	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49826 -> 137.27.167.58:443	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 137.27.167.58:443 -> 192.168.56.102:49826	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49830 -> 24.182.101.64:449	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 24.182.101.64:449 -> 192.168.56.102:49830	2011540	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)	Not Suspicious Traffic
TCP 192.168.56.102:49816 -> 95.217.228.176:80	2019737	ET POLICY IP Check wtfismyip.com	Potential Corporate Privacy Violation
TCP 192.168.56.102:49816 -> 95.217.228.176:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49814 72.180.57.176:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	a1:ea:a4:fa:0a:5e:ba:b9:c1:46:42:a3:0b:3e:a6:e7:b4:e2:f7:f0
TLSv1 192.168.56.102:49823 45.164.80.94:447	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	C=US, ST=IL, L=Chicago, O=Internet Widgits Pty Ltd	f1:ae:ef:9b:5f:b8:da:ca:2f:e8:b4:99:1d:16:71:ca:08:11:be:e4
TLSv1 192.168.56.102:49815 75.87.15.158:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79
TLSv1 192.168.56.102:49821 67.79.117.70:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79
TLSv1 192.168.56.102:49818 98.6.170.206:447	C=US, ST=Some-State, O=Internet Widgits Pty Ltd	C=US, ST=Some-State, O=Internet Widgits Pty Ltd	8d:b6:86:81:b0:6b:e5:0a:58:13:73:ec:a7:95:6f:f6:4b:e2:e9:d8
TLSv1 192.168.56.102:49826 137.27.167.58:443	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79
TLSv1 192.168.56.102:49830 24.182.101.64:449	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	C=AU, ST=Some-State, O=Internet Widgits Pty Ltd	81:c4:f0:b6:a7:40:f0:09:2b:ab:2a:1c:df:80:a0:30:da:d8:93:79

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 30, 2021, 10:40 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 30, 2021, 10:47 a.m.			0	0

The executable uses a known packer (1 event)

packer

Armadillo v1.xx - v2.xx

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ March 30, 2021, 10:40 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x72e1bdb5 0x129483 0x11dbc8 0x238a8a9 0x11dc20 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 0 registers.r15: 1173104 registers.rcx: 0 registers.rsi: 1170376 registers.r10: 0 registers.rbx: 847919784 registers.rsp: 1170368 registers.r11: 0 registers.r8: 5 registers.r9: 1927995136 registers.rdx: 2 registers.r12: 1994795888 registers.rbp: 0 registers.rdi: 1173096 registers.rax: 1 registers.r13: 1317752	1
__exception__ March 30, 2021, 10:41 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x72e1fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd703096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd7030d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x76e8bbe1 0x13b5c3 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 851057504 registers.r15: 851059280 registers.rcx: -2599019704512685353 registers.rsi: 3 registers.r10: 0 registers.rbx: 3 registers.rsp: 1168328 registers.r11: -2599019704512685505 registers.r8: 3 registers.r9: 1927998208 registers.rdx: 3 registers.r12: 40 registers.rbp: -2599019704512685377 registers.rdi: 1168720 registers.rax: 4 registers.r13: 0	1
__exception__ March 30, 2021, 10:41 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x72e1fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd703096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd7030d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x76e8bbe1 0x13b5c3 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 842698032 registers.r15: 851057776 registers.rcx: -2599019704512685353 registers.rsi: 3 registers.r10: 0 registers.rbx: 3 registers.rsp: 1168664 registers.r11: -2599019704512685505 registers.r8: 3 registers.r9: 1927998208 registers.rdx: 3 registers.r12: 40 registers.rbp: -2599019704512685377 registers.rdi: 1169056 registers.rax: 4 registers.r13: 0	1
__exception__ March 30, 2021, 10:41 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtAllocateVirtualMemory+0x34 New_ntdll_NtClose-0x162 @ 0x72e1fc86 VirtualAllocExNuma+0x66 VirtualAllocEx-0x2a kernelbase+0x33096 @ 0x7fefd703096 VirtualAllocEx+0x16 WriteProcessMemory-0x1a kernelbase+0x330d6 @ 0x7fefd7030d6 VirtualAllocEx+0x11 VerLanguageNameW-0xf kernel32+0x4bbe1 @ 0x76e8bbe1 0x13b5c3 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x771d9a5a registers.r14: 842698032 registers.r15: 842697968 registers.rcx: -2599019704512685353 registers.rsi: 3 registers.r10: 0 registers.rbx: 3 registers.rsp: 1168024 registers.r11: -2599019704512685505 registers.r8: 3 registers.r9: 1927998208 registers.rdx: 3 registers.r12: 40 registers.rbp: -2599019704512685377 registers.rdi: 1168416 registers.rax: 4 registers.r13: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (24 events)

suspicious_features	Connection to IP address	suspicious_request	GET https://72.180.57.176/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/5/kps/
suspicious_features	Connection to IP address	suspicious_request	GET https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/5/kps/
suspicious_features	Connection to IP address	suspicious_request	GET https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/0/Windows%207%20x64%20SP1/1105/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/jdtzrTn7D1fhJNbBNVH7NJBPBDzrN/
suspicious_features	Connection to IP address	suspicious_request	GET https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CNetDownloadMng5575191179%5Cxzcountlb.dwn/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/5/kps/
suspicious_features	Connection to IP address	suspicious_request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/0/Windows%207%20x64%20SP1/1105/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/1jdJTPhNJftt9llb5HDzBt1d1t3/
suspicious_features	Connection to IP address	suspicious_request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/NAT%20status/client%20is%20behind%20NAT/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/10/62/QHAVHUMUVKIZYSUYVK/7/
suspicious_features	Connection to IP address	suspicious_request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/23/2000027/
suspicious_features	Connection to IP address	suspicious_request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/DNSBL/listed/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/1/pxPtLlVV7rz3hFHPxXVH9ntpH3/
suspicious_features	Connection to IP address	suspicious_request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/5/kps/
suspicious_features	Connection to IP address	suspicious_request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/0/Windows%207%20x64%20SP1/1105/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/JXX9LFPNtFT75Htn3nVXhlnxNLP/
suspicious_features	Connection to IP address	suspicious_request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/user/test22/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/1/4j4pxaBWesD3gH7yYCXrlLdHM/
suspicious_features	Connection to IP address	suspicious_request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/10/62/707854/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/pwgrab/sTart%20Run%20D%20failed/0/
suspicious_features	Connection to IP address	suspicious_request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/pwgrab64/reload1/0/

Performs some HTTP requests (25 events)

request	GET http://wtfismyip.com/text
request	GET https://72.180.57.176/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/5/kps/
request	GET https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/5/kps/
request	GET https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/0/Windows%207%20x64%20SP1/1105/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/jdtzrTn7D1fhJNbBNVH7NJBPBDzrN/
request	GET https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
request	GET https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/user/test22/0/
request	GET https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/path/C:%5CUsers%5Ctest22%5CAppData%5CRoaming%5CNetDownloadMng5575191179%5Cxzcountlb.dwn/0/
request	GET https://75.87.15.158/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/5/kps/
request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/0/Windows%207%20x64%20SP1/1105/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/1jdJTPhNJftt9llb5HDzBt1d1t3/
request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/user/test22/0/
request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/NAT%20status/client%20is%20behind%20NAT/0/
request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/10/62/QHAVHUMUVKIZYSUYVK/7/
request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/23/2000027/
request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/DNSBL/listed/0/
request	GET https://67.79.117.70/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/1/pxPtLlVV7rz3hFHPxXVH9ntpH3/
request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/5/kps/
request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/0/Windows%207%20x64%20SP1/1105/175.208.134.150/727F639DF1E9560A2743CB69221BB85D3D1D1CBDEE638318DB0A9F2C35331CAD/JXX9LFPNtFT75Htn3nVXhlnxNLP/
request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/exc/E:%200xc0000005%20A:%200x00000000771D9A5A/0/
request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/user/test22/0/
request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/1/4j4pxaBWesD3gH7yYCXrlLdHM/
request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/10/62/707854/0/
request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/pwgrab/sTart%20Run%20D%20failed/0/
request	GET https://137.27.167.58/rob39/TEST22-PC_W617601.312A97F76E51F9D43B18A1FFD13B7EF0/14/pwgrab64/reload1/0/

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10020000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e80000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73861000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e01000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 region_size: 221184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765b1000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 region_size: 274432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00671000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory March 30, 2021, 10:40 a.m.	process_identifier: 8780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

wermgr.exe tried to sleep 136 seconds, actually delayed analysis time by 136 seconds

Looks up the external IP address (1 event)

domain

wtfismyip.com

Creates hidden or system file (8 events)

Time & API	Arguments	Return
NtCreateFile March 30, 2021, 10:47 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile March 30, 2021, 10:47 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile March 30, 2021, 10:47 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile March 30, 2021, 10:47 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile March 30, 2021, 10:47 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile March 30, 2021, 10:47 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile March 30, 2021, 10:47 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile March 30, 2021, 10:47 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 30, 2021, 10:47 a.m.	process_identifier: 8052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 208896 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x006f1000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 30, 2021, 10:40 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00042000', u'virtual_address': u'0x00021000', u'entropy': 7.201963185774935, u'name': u'.rsrc', u'virtual_size': u'0x000414ec'}

entropy

7.20196318577

description

A section with a high entropy has been found

entropy

0.673469387755

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 30, 2021, 10:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (36 events)

description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess March 30, 2021, 10:41 a.m.	status_code: 0x00000000 process_identifier: 8628 process_handle: 0x0000000000000414		0	0
NtTerminateProcess March 30, 2021, 10:41 a.m.	status_code: 0x00000000 process_identifier: 8628 process_handle: 0x0000000000000414	1	0	0

Communicates with host for which no DNS query was performed (11 events)

host	103.26.251.214
host	12.158.156.51
host	137.27.167.58
host	172.217.25.14
host	24.182.101.64
host	45.164.80.94
host	67.212.241.127
host	67.79.117.70
host	72.180.57.176
host	75.87.15.158
host	98.6.170.206

Allocates execute permission to another process indicative of possible code injection (50 out of 945 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 1138688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1

Potential code injection by writing to the memory of another process (50 out of 1422 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWkGXMD$\D$\øMuWHw`HkFWHD$PHD$PH=¸u\HFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëpD$\=Ç3ÀéZÿÿÿHD$PH=uPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PH=uLF HNHVÿëÊÿëÆHD$PHøWuHNÿë³HD$PH=®EÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HÇHOÿW(HÇG3ÉÿW83ÀHå[_^A^]ÃÌÌUVHì(Hl$ HäðHuPHöt@HEHM@HVpLFxLÉHHH¶HNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000090000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: H¹H¸ ÿà base_address: 0x000000004a9790b4 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: KERNEL32.dll base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: oåvÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: InitializeCriticalSection base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: Sleep base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: GetLastError base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: CreateThread base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: DeleteCriticalSection base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: GetFileSize base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: SetLastError base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: CreateFileA base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: lstrlenA base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: lstrcmpA base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: LoadLibraryA base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: GetTickCount base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: AreFileApisANSI base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ReadFile base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: TryEnterCriticalSection base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Bkav	W32.AIDetect.malware2
McAfee	Artemis!35994B0F330D
CrowdStrike	win/malicious_confidence_60% (D)
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMetagen [Malware]
McAfee-GW-Edition	BehavesLike.Win32.Emotet.fh
FireEye	Generic.mg.35994b0f330dac6e
Sophos	ML/PE-A
APEX	Malicious
AVG	FileRepMetagen [Malware]

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 8780 resumed a thread in remote process 7552
Process injection	Process 8780 resumed a thread in remote process 6552
Process injection	Process 8780 resumed a thread in remote process 7304
NtResumeThread March 30, 2021, 10:41 a.m.	thread_handle: 0x00000000000003ec suspend_count: 1 process_identifier: 7552	1	0	0
NtResumeThread March 30, 2021, 10:41 a.m.	thread_handle: 0x0000000000000118 suspend_count: 1 process_identifier: 6552	1	0	0
NtResumeThread March 30, 2021, 10:41 a.m.	thread_handle: 0x0000000000000414 suspend_count: 1 process_identifier: 7304	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 2417 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 30, 2021, 10:47 a.m.	thread_identifier: 6096 thread_handle: 0x00000150 process_identifier: 8780 current_directory: C:\Windows\system32 filepath: track: 1 command_line: C:\Windows\system32\wermgr.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000154	1	1
CreateProcessInternalW March 30, 2021, 10:41 a.m.	thread_identifier: 2196 thread_handle: 0x00000000000003ec process_identifier: 7552 current_directory: filepath: track: 1 command_line: C:\Windows\system32\cmd.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000090000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: UAVVWSHì`Hl$`HäðHùë0H¨ÇGXHOÿW0HHWA¸ÿÿÿÿE3ÉÿWkGXMD$\D$\øMuWHw`HkFWHD$PHD$PH=¸u\HFHLV@L^8H^0LN(LF HNHVHD$8LT$0L\$(H\$ ëpD$\=Ç3ÀéZÿÿÿHD$PH=uPHFPH^HLV@L^8Lv0LN(LF HNHVHD$@H\$8LT$0L\$(Lt$ ÿH ¸éóþÿÿH\|$PtHD$PH=uLF HNHVÿëÊÿëÆHD$PHøWuHNÿë³HD$PH=®EÿÿÿHNHVÿëHÇ¨HHWE3ÀE3ÉÿWHÿW(HÇHOÿW(HÇG3ÉÿW83ÀHå[_^A^]ÃÌÌUVHì(Hl$ HäðHuPHöt@HEHM@HVpLFxLÉHHH¶HNÿV0HNºÿÿÿÿÿV He^]Ã base_address: 0x0000000000090000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000001a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!ww base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: H¹H¸ ÿà base_address: 0x000000004a9790b4 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtResumeThread March 30, 2021, 10:41 a.m.	thread_handle: 0x00000000000003ec suspend_count: 1 process_identifier: 7552	1	0
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 1138688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000180000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x0000000180000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000000000002a0	1	0
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: KERNEL32.dll base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: oåvÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: InitializeCriticalSection base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: Sleep base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: GetLastError base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: CreateThread base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: DeleteCriticalSection base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: GetFileSize base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: SetLastError base_address: 0x0000000001c80000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
NtAllocateVirtualMemory March 30, 2021, 10:41 a.m.	process_identifier: 7552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002a0	1	0
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: 6ævävÈ base_address: 0x0000000001c90000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1
WriteProcessMemory March 30, 2021, 10:41 a.m.	buffer: ,ëv +æv/æv Ùävð@wÀ/!w0!wwÉ base_address: 0x00000000001a0000 process_identifier: 7552 process_handle: 0x00000000000002a0	1	1

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (5 events)

dead_host	103.26.251.214:447
dead_host	12.158.156.51:447
dead_host	192.168.56.102:49822
dead_host	192.168.56.102:49829
dead_host	67.212.241.127:443

count.php

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All