Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 5, 2021, 9:06 a.m.	Nov. 5, 2021, 9:18 a.m.

Size	1.9MB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`9cfd97227c5095d2efd4dd86688e04b0`
SHA256	`a10f0e188da684caa1f635985bb297b85998c080feae1b61c7e70881df5b1206`
CRC32	`C2EFB029`
ssdeep	`49152:oQU1aLhQhG5NUAgoOa8nBc0SmmdWwMLwktw4B3eMqfn8+nFFQCxEsJwKQB:ofaNQh+NUABO/c0Y9AdgMqf8+gqJW`
PDB Path	c:\Safe\Share\Born\magnet\Thin.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen IsDLL - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sdd.dll,Armshoe
2788
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sdd.dll,Comelife
2972
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sdd.dll,Bepitch
2884
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sdd.dll,Fathertone
3060
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sdd.dll,Namebefore
2140
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sdd.dll,NationSugar
2228
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sdd.dll,Passshop
2404
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sdd.dll,Put
2492
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sdd.dll,Roadspend
2768
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\sdd.dll,
2936

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.117.90.36	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Uses Windows APIs to generate a cryptographic key (50 out of 99 events)

Time & API	Arguments	Status	Return
CryptGenKey Nov. 5, 2021, 9:08 a.m.	crypto_handle: 0x00466398 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x00466310	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00466398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: ¤RSA2÷Ì3ÂªöÌ@õì$5gÿSÜëÂÄóðÌ"©$¥ñ×{òKV¹H.RP §bH×Õo»¤Ä#KË½XÓ-¢Tl3Nåý¦®oØT¡ô<¯ËL1ÏúF1ª¶pBtø )×AúÂN8¸z»óG¦4äºþ´ÖÐC/GÊ³ãpõL ògâoAØSóÝo9"Gª¥¹B}HÂ&^Sêf¦5§Ä07ã}Çìíús:ëÙÅ@Zê}ÁÕ5¥ÿÔ/p°LP¯ðR¨ú39ðúþÉoÂy¢×¿\|^3uø@óÒÖ6-QÛYýØ©¤Ò kîÙTR#¥VUÉ£éÙ¯)r)ßwÒ6~ »ønaàmLoN:ýP5Í·²A<ï¤ú^ß1ø1köe#gZNT,s%zî§o^P=eó¢âÕÇ.<ö5PN ©xÅK`ÌIúÇ%9À_ÇkkuªÀa.¹KB~¢KÁÁEÂ{ÓL=Ø À\|U×¯//l¥z¨i¼k]²p¶q`KtòÀçGÑêÙ`À²ÃEat>ñÄúæ¯¦aÒLøK:³)ér7"S=´N_%=å,ðsôÚ¼@\þ«&Ð½b*Æ\|¬»ÁXÀ(ü!V'ÿÐ¨U8À éZ¾epxý crypto_handle: 0x00466398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00466398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: ¤RSA1÷Ì3ÂªöÌ@õì$5gÿSÜëÂÄóðÌ"©$¥ñ×{òKV¹H.RP §bH×Õo»¤Ä#KË½XÓ-¢Tl3Nåý¦®oØT¡ô<¯ËL1ÏúF1ª¶pBtø )×AúÂN8¸z»óG¦4äº crypto_handle: 0x00466398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Nov. 5, 2021, 9:08 a.m.	crypto_handle: 0x0046af90 algorithm_identifier: 0x00006610 () flags: 1 key: f º~I±Úå9k\V¹Àõ ¯9bß CªÉNÁ) provider_handle: 0x0046b808	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046af90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: f º~I±Úå9k\V¹Àõ ¯9bß CªÉNÁ) crypto_handle: 0x0046af90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Nov. 5, 2021, 9:08 a.m.	crypto_handle: 0x0046af90 algorithm_identifier: 0x00006610 () flags: 1 key: f H77,VßËüX{ÝKR04<-K¸ Ý}e provider_handle: 0x0046b808	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046af90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: f H77,VßËüX{ÝKR04<-K¸ Ý}e crypto_handle: 0x0046af90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Nov. 5, 2021, 9:08 a.m.	crypto_handle: 0x00596398 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x00596310	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00596398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: ¤RSA2·i1QÀæñb9ÑÇ'ñ³c¾¦¦X7&<XYÇRÂ¤d@Xã¿µMä¿?û ÿÿR0±#ßþ®é\|'5GÑ«ä,/Z°WÓ¹Û/ö,%NTI5:Sê§ùj·IÍ<U"sÆt[3Ð.f®)CUç5þÐ(ÄÛ¤¤ÜKaGà¤ à?ëÊ&Ó®N~7$ÕÁ?>~X5ã´°=îóæßÁ:·©CÙdBK{¬ø\¬tK3^k+,î3¡5³¼ÇÍ¢Ð¦±ÊðrÃ~Xß-°Ã¬ÁùAAe®!-Ä£¬º×¯PÏn/ú]$CgP!Â2 qì^g#¦SüR ¬ø·öx·ry¦4q^²q(F&1z>duZû*PGË«@Åjµ.S§êÐÜÔrDínß&OyJ#Á¹Æwï éÂ?"#;÷Ü/Qy^ØÒò~O,ya»`E íÀ>3W:ÿIPÏ³ Ó-.99Äá}! a¨Î&¢ktád¡Ôú¸>]ÇàÆÅpS(@× ùí½Z)ÊÔ÷[lèunôI\ñ®¢hÊJ×ÐÆ¢pRìÜµ+±o·ÀlXc#ëÃ¤·ÍðÒÑ¨UaòòÎC<ux ¬èqÍZ¡v#ß Æ{·!ßÂd crypto_handle: 0x00596398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00596398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: ¤RSA1·i1QÀæñb9ÑÇ'ñ³c¾¦¦X7&<XYÇRÂ¤d@Xã¿µMä¿?û ÿÿR0±#ßþ®é\|'5GÑ«ä,/Z°WÓ¹Û/ö,%NTI5:Sê§ùj·IÍ<U"sÆt[3Ð.f® crypto_handle: 0x00596398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Nov. 5, 2021, 9:08 a.m.	crypto_handle: 0x0059af90 algorithm_identifier: 0x00006610 () flags: 1 key: f réH,îJé4<1ðaºøoÉaêóbZÇgDû provider_handle: 0x0059b808	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059af90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: f réH,îJé4<1ðaºøoÉaêóbZÇgDû crypto_handle: 0x0059af90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Nov. 5, 2021, 9:08 a.m.	crypto_handle: 0x0059af90 algorithm_identifier: 0x00006610 () flags: 1 key: f 2\|ëªûÆ å4FcfZ[+È5åÖZ9Y´É provider_handle: 0x0059b808	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059af90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: f 2\|ëªûÆ å4FcfZ[+È5åÖZ9Y´É crypto_handle: 0x0059af90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Nov. 5, 2021, 9:08 a.m.	crypto_handle: 0x005c53b8 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x005c5330	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: ¤RSA2S5<;yYØ®sFmÌ GÃý¢]×§ÐÐ]7qÙ]o¿øUkOä ì²Ä1ùE^NxB3±¡$EûfúaWé}/5©N1aµ(NF¦¼ÍR¦6ËIGp]tK¦ºI1ÉÙ¨oâõô#Àê¢´í0P8mñÉõKj_²²¢ÂW¯±eûfã:!îÝTW²lÄQ"lì#]6Kõ«ïm+Äxêð¸ü.hN$g$ú;n`È¥Ó\|bÖEmn®kÄZV@_p3þ-×´T¡uîØ0SÃÜqXñ\ixÚ«ÿxÜõìüâ®F÷Ä ±«üÊF +òå'«Ìô-Ù¨vàMho-q, MÜ2þ«9«UËn«EOëQw ¦të±¶#npdEö þ½Ä«yF3aþ?õï¸ø2±.cÛQ.]?I~ý±ÍÀ9ÂWEÐÛ©ÿ©¥ÑiÑK>o}Nû5¿Î®½á[ùüOæ[ÇvG Ò´ªòO$ýªù=ÔÎýnþ·ó)Ääó .ãj±`¹¹'À[õryvêmym%·N(M´N¤ê¸[¤HÄ´~2_ÑbmßùaXz¾ùC¦=<×uâéó\òYÐ§í¨tøH©:8-RÏx'ÖÈ1JSI¼òp!'»$»³é?ì²Ðvoº,ö+¶ crypto_handle: 0x005c53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: ¤RSA1S5<;yYØ®sFmÌ GÃý¢]×§ÐÐ]7qÙ]o¿øUkOä ì²Ä1ùE^NxB3±¡$EûfúaWé}/5©N1aµ(*NF¦¼ÍR¦6ËIGp]tK¦ºI1ÉÙ¨oâõô#Àê¢´í0P8mñ crypto_handle: 0x005c53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Nov. 5, 2021, 9:08 a.m.	crypto_handle: 0x005c9fb0 algorithm_identifier: 0x00006610 () flags: 1 key: f Úóe LQ¿Õ½ç0é-ÜÆØ® ÐyîóVmV provider_handle: 0x005ca828	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: f Úóe LQ¿Õ½ç0é-ÜÆØ® ÐyîóVmV crypto_handle: 0x005c9fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Nov. 5, 2021, 9:08 a.m.	crypto_handle: 0x005c9fb0 algorithm_identifier: 0x00006610 () flags: 1 key: f ªv%Ý> ijÖI& ÿûÁìàzE¡æ ,+[[ provider_handle: 0x005ca828	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: f ªv%Ý> ijÖI& ÿûÁìàzE¡æ ,+[[ crypto_handle: 0x005c9fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Nov. 5, 2021, 9:08 a.m.	crypto_handle: 0x00616398 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x00616310	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: ¤RSA2ácI-?]áâÿÍrNl½aaVvl¾HÍÔ¡[¨c_¹2ô¹û%uf®WÚÏ9åzù¿» àÊkgºDL÷»£Ü&Îr78£<pcmÍns]8ÜBgd½×IåÐ³Gíüîïùu^G©h§Å»UxÎÏd«Çh±û´nùãñ<(?êmYú`Ë"Y{õï"6ËDT6È4ië{j¨Íâ¡b=Àêm7_¨7à UW<qQ7×Ó²dàYýuòãìð íV6H}kÖÓ§W³05êú5y5j®zýñ}11ð¶EytÊ"vzDèéä¦Ñb+¶ÝXÜÖE¹èUy["å-Â,}Ô©Ë3ê)M3Ó>°7\|YNx»6\|u4â¾·BáÇt½`ø<¯ÖCôå(Ðª'Èð'Ý ,:íöw jË^EÅ}«:ymx/Á¸ÇHE ×hà\|D .ý*$#%güÍdb`O%§cª¡&óÊxO¸íOÝÃ\£ßó:À¿AÃq%ä~3ÌÞË¡ÀJSöD eã Ú¼gÀ}4ºwv¼µªu¶L²sI9ËnÂl7\J#¼ÒþÕ×ê\|G«c Mîi+zãÀÛEÞ½¡¥\|Ñ¼Íì´ÜåV"!¨ f3³>ßdULùø×¸öÙD£mÛÎÞÎçRA=oJN; crypto_handle: 0x00616398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: ¤RSA1ácI-?]áâÿÍrNl½aaVvl¾HÍÔ¡[¨c_¹2ô¹û%uf®WÚÏ9åzù¿» àÊkgºDL÷»£Ü&Îr*78£<pcmÍns]8ÜBgd½×IåÐ³Gíüîïùu^G©h§ crypto_handle: 0x00616398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Nov. 5, 2021, 9:08 a.m.	crypto_handle: 0x0061af90 algorithm_identifier: 0x00006610 () flags: 1 key: f 7·ÉXG)<òBVó ÈÈ,ù®÷¬?÷ provider_handle: 0x0061b808	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061af90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: f 7·ÉXG)<òBVó ÈÈ,ù®÷¬?÷ crypto_handle: 0x0061af90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Nov. 5, 2021, 9:08 a.m.	crypto_handle: 0x0061af90 algorithm_identifier: 0x00006610 () flags: 1 key: f 7R·ÏßßMf±É~üÉH¸g¬JfmV¯eéåä® provider_handle: 0x0061b808	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061af90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: f 7R·ÏßßMf±É~üÉH¸g¬JfmV¯eéåä® crypto_handle: 0x0061af90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey Nov. 5, 2021, 9:08 a.m.	crypto_handle: 0x004c53b8 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x004c5330	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: ¤RSA2Ñ°ÍfÁÿ&¼Ý$ÅÂfVèÈÏZ²Ò9b<Íè§Å<tI±H©BkS¨Ã Psµ4h^Á(íë×4Ôÿ{Y¤ÄC·ôã¨;x÷ÊbÕFÕ¢£.@{õ"@Þ5&ªõG¶b6Y¬K:KµSß&Øª½Ø)]¨\c ¢§ï^°qayvöî~ø`+#®æUÉÆ,[3Ú8ÏI/N`)éò76÷P·R©ÐóyG¤vL½7îì:li Ä¡W?1-ä@¢}ì¾§(ÍÂ.RY´«e¸ïhÄ1©ìòÔ¾%A2×m@pâ!ñwZÌðìU¡üNU,`Vs´IÈÁÂéªitJÂlÀôN§®\|-½k'aÃQueªñ0PÖ"í;ððÄY+¬Uú#!?j\Ád£íoÑd&ÆJí}úÙGJÉ/mªJÿxÌ Ü>n:ò¾®Á½·eIm´f¨ªhó±v¶©B!áím¥åãî}½fºOÙzÅÞ c4PÛMáÌVN «YGdXW{Ü²¿&:CCP4ìú#yD¬,Å¿M(~Ë¾y(?¼JîÈÝýæ* ñL7P/-Èrkv¹Fô;+nÈ8Yûxç~1e×ñqÃ+zù6àYÇý 7þÇÊÚ&o6ÓxV crypto_handle: 0x004c53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:08 a.m.	buffer: ¤RSA1Ñ°ÍfÁÿ&¼Ý$ÅÂfVèÈÏZ²Ò9b<Íè§Å<tI±H©BkS¨Ã Psµ4h^Á(íë×4Ôÿ{Y¤ÄC·ôã¨;x÷ÊbÕFÕ¢£.@{õ"@Þ5&ªõG¶b6Y¬K:KµSß&Øª½ crypto_handle: 0x004c53b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey Nov. 5, 2021, 9:08 a.m.	crypto_handle: 0x004c9fb0 algorithm_identifier: 0x00006610 () flags: 1 key: f ÿ¢EÖ«À\Û&×Å÷ÛºØ,ÿ!±;Yd provider_handle: 0x004ca828	1	1

This executable has a PDB path (1 event)

pdb_path

c:\Safe\Share\Born\magnet\Thin.pdb

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 99 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02255000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2788 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2788 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2788 region_size: 2932736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2788 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02255000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2972 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2972 region_size: 2932736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a18000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a75000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 3060 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 3060 region_size: 2932736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02540000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b25000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2884 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2884 region_size: 2932736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x761a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73df1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:06 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02255000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:08 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 129 seconds, actually delayed analysis time by 129 seconds

Communicates with host for which no DNS query was performed (1 event)

host

185.117.90.36

sdd.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All