Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 17, 2021, 8 a.m.	Nov. 17, 2021, 8:17 a.m.

Size	461.6KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`f4a6ec71e178159db07d8dcc066755be`
SHA256	`fcbeae9dee064417f51c4d52a9b303c9d65f305955c03ce08f8d0cee7921f648`
CRC32	`986245D4`
ssdeep	`6144:UYD2HJTwbR5aOPjZRS8muMnYrlsXnBmYSYCT0uBohlfX37GFuQ47bxoqGhz10PuE:UYxaOPrSMhrldYCzo3bFbeP1GuE`
Yara	Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,DllRegisterServer
2332
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,DllRegisterServer
  2848
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ServiceResume
2520
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ServiceResume
  2056
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ServiceSuspend
2624
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ServiceSuspend
  3056
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,DllUnregisterServer
2436
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,DllUnregisterServer
  2084
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,aldiednw
2804
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,aldiednw
  2376
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ajjttwdrhx
2712
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ajjttwdrhx
  2484
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,cjehjyqrvwwu
2936
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,cjehjyqrvwwu
  2560
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,cjsbkzwhilgeoxo
3032
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,cjsbkzwhilgeoxo
  2636
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,dfzhojx
2512
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,dfzhojx
  2860
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,fdxaaidqtas
2912
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,fdxaaidqtas
  2232
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ftreudcmbs
2420
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ftreudcmbs
  2716
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,gcdejqtbubuh
2820
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,gcdejqtbubuh
  2888
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,gqqiyeoguo
3064
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,gqqiyeoguo
  2652
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,hyenoqhmbrua
2748
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,hyenoqhmbrua
  2148
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ihijiavixtn
2468
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ihijiavixtn
  2864
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ijzptiuzbhdogzk
2196
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ijzptiuzbhdogzk
  2832
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,jruqxbd
2396
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,jruqxbd
  2684
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ncgbknudt
3080
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ncgbknudt
  3356
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,mobdsrvxjwftx
2744
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,mobdsrvxjwftx
  3296
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,otujoknwzuc
3168
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,otujoknwzuc
  3416
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,qkkpfbmpgkrix
3268
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,qkkpfbmpgkrix
  3544
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,tizamkqejqjez
3484
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,tizamkqejqjez
  3652
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,vygplyhbhmp
3772
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,vygplyhbhmp
  3956
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,xbzuwlcjy
3948
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,xbzuwlcjy
  3244
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,xcvgbxauyammqayhq
4080
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,xcvgbxauyammqayhq
  3456
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ydekhkuxwmz
3148
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,ydekhkuxwmz
  3496
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko12.dll,
3176

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (26 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	REGISTRY
resource name	TYPELIB

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Nov. 17, 2021, 7:53 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 1998422456 registers.r15: 38891216 registers.rcx: 1997503120 registers.rsi: 0 registers.r10: 3221225715 registers.rbx: 1997503120 registers.rsp: 914152 registers.r11: 3282128 registers.r8: 64 registers.r9: 914744 registers.rdx: 64 registers.r12: 1998414488 registers.rbp: 914416 registers.rdi: 0 registers.rax: 0 registers.r13: 1998430392	1
__exception__ Nov. 17, 2021, 7:53 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 1998422456 registers.r15: 38694608 registers.rcx: 1997503120 registers.rsi: 0 registers.r10: 3221225715 registers.rbx: 1997503120 registers.rsp: 1044808 registers.r11: 2102464 registers.r8: 64 registers.r9: 1045400 registers.rdx: 64 registers.r12: 1998414488 registers.rbp: 1045072 registers.rdi: 0 registers.rax: 0 registers.r13: 1998430392	1
__exception__ Nov. 17, 2021, 7:53 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 1998422456 registers.r15: 37973712 registers.rcx: 1997503120 registers.rsi: 0 registers.r10: 3221225715 registers.rbx: 1997503120 registers.rsp: 2357192 registers.r11: 3277984 registers.r8: 64 registers.r9: 2357784 registers.rdx: 64 registers.r12: 1998414488 registers.rbp: 2357456 registers.rdi: 0 registers.rax: 0 registers.r13: 1998430392	1
__exception__ Nov. 17, 2021, 7:53 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 1998422456 registers.r15: 38956752 registers.rcx: 1997503120 registers.rsi: 0 registers.r10: 3221225715 registers.rbx: 1997503120 registers.rsp: 1373640 registers.r11: 2299088 registers.r8: 64 registers.r9: 1374232 registers.rdx: 64 registers.r12: 1998414488 registers.rbp: 1373904 registers.rdi: 0 registers.rax: 0 registers.r13: 1998430392	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 528 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e25000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d99000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076daa000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e19000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076deb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dae000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ddc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d92000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ddc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dac000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d94000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d94000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ddc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d99000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076df1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076db1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076df2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e00000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dec000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dda000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dda000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076e1f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d91000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d92000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ddb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ddb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ddb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ddb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ddb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076d9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076deb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ddb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076da9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076dda000 process_handle: 0xffffffffffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00014000', u'virtual_address': u'0x00064000', u'entropy': 7.652330961780087, u'name': u'.rsrc', u'virtual_size': u'0x00013e10'}

entropy

7.65233096178

description

A section with a high entropy has been found

luko12

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All