Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 21, 2021, 11 a.m.	May 21, 2021, 11:03 a.m.

Size	4.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`671042cc66b28c17d9d2dd2ccf0cba18`
SHA256	`6f53bdbebf09f3852080bce00180a80cd47f75bedb6a68bc2a9a7ffb3d1691a3`
CRC32	`DC492389`
ssdeep	`98304:An7/rYDqnw6AOXu57bC4RqlrjAe8VhhSEYEniZqgE2NFE6Wq+Pw1rhWixOU2tlO1:YMDiWO+57bC8CAe8TMjNHN+PI9xLoMPv`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

8908.exe "C:\Users\test22\AppData\Local\Temp\8908.exe"
2232

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 21, 2021, 11 a.m.			0	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

Allocates read-write-execute memory (usually to unpack itself) (32 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c92000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 8982528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3653632 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1011a000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 782336 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02440000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02450000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ff0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02eb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 2232 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0

Foreign language identified in PE resource (50 out of 51 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fabc0

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fabc0

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fabc0

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fb0b0

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fb0b0

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fb0b0

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fb0b0

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fddc0

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fddc0

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa9c

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa9c

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa9c

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffae8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffae8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffae8

size

0x00000014

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\21b67c4.tmp
file	C:\Users\test22\AppData\Local\Temp\21b67e6.tmp
file	C:\Users\test22\AppData\Local\Temp\21b67e5.tmp

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 events)

Time & API	Arguments	Status	Return
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000188 process_name: audiodg.exe process_identifier: 892	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000184 process_name: WmiPrvSE.exe process_identifier: 1916	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000184 process_name: pw.exe process_identifier: 2816	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000184 process_name: SearchIndexer.exe process_identifier: 2940	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000184 process_name: SearchProtocolHost.exe process_identifier: 1480	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000184 process_name: SearchFilterHost.exe process_identifier: 3040	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000184 process_name: SearchProtocolHost.exe process_identifier: 2120	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000184 process_name: mobsync.exe process_identifier: 2140	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000184 process_name: pw.exe process_identifier: 3064	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000184 process_name: taskhost.exe process_identifier: 2832	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000184 process_name: 8908.exe process_identifier: 2232	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000184 process_name: cmd.exe process_identifier: 2032	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00414000', u'virtual_address': u'0x000a7000', u'entropy': 7.965843233841094, u'name': u'.rdata', u'virtual_size': u'0x00413352'}

entropy

7.96584323384

description

A section with a high entropy has been found

entropy

0.84602917342

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 126 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000188 process_name: 894Ƒ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000184 process_name: 895ǎ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000194 process_name: 894Ȋ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: 894Ʌ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000194 process_name: 894ʀ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: 894ʻ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000194 process_name: 894˶ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: 894̱ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000194 process_name: 894ͬ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: 894Χ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000194 process_name: 894Ϣ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: 894Н process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000194 process_name: 894ј process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: 894ғ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000194 process_name: 894ӎ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000190 process_name: 894ԇ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000194 process_name: 894Հ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: 894չ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000190 process_name: 894ֲ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 894׫ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000190 process_name: 894ؤ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 894ٝ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000194 process_name: 894ږ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 894ۏ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000194 process_name: 894܈ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 894݁ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000190 process_name: 894ݺ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 894޳ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000194 process_name: 894߬ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 894ࠥ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000194 process_name: 894࡞ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000190 process_name: 894ࢗ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 895࣐ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000184 process_name: 895ई process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 894ी process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000190 process_name: 894ॹ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 894ল process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000190 process_name: 894৫ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 894ਤ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000190 process_name: 894੝ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000194 process_name: 894ખ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000190 process_name: 894૏ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 894ଈ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000190 process_name: 894ୁ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 894୸ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000190 process_name: 894ய process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 894௦ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000190 process_name: 894ఝ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 894౔ process_identifier: 2232		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000190 process_name: 894ಋ process_identifier: 2232		0	0

Expresses interest in specific running processes (3 events)

process: potential process injection target	svchost.exe
process: potential process injection target	csrss.exe
process	pw.exe

8908.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All