Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 17, 2021, 8 a.m.	Nov. 17, 2021, 8:05 a.m.

Size	461.6KB
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`850964e5f638c8365f0f0a8bd18c95b6`
SHA256	`0d91e5c09f2861046ed04160670adf99b24257965c32f14e1749366eeee15fd4`
CRC32	`DB801277`
ssdeep	`6144:UYD2HJTwbR5aOPjZRS8muMnYrlsXnBmYSYCT0uBohlfX37GFuQ47bxoqGhz10PuG:UYxaOPrSMhrldYCzo3bFbeP1GuG`
Yara	Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,DllUnregisterServer
2864
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,DllUnregisterServer
  2764
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,DllRegisterServer
2780
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,DllRegisterServer
  2340
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ServiceResume
2956
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ServiceResume
  196
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ServiceSuspend
3044
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ServiceSuspend
  2776
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ajjttwdrhx
1112
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ajjttwdrhx
  2904
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,aldiednw
2184
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,aldiednw
  3012
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,cjehjyqrvwwu
2292
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,cjehjyqrvwwu
  2072
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,cjsbkzwhilgeoxo
2644
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,cjsbkzwhilgeoxo
  2056
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,dfzhojx
2972
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,dfzhojx
  2720
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,fdxaaidqtas
2336
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,fdxaaidqtas
  2984
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ftreudcmbs
2812
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ftreudcmbs
  2816
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,gcdejqtbubuh
2500
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,gcdejqtbubuh
  3008
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,gqqiyeoguo
3064
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,gqqiyeoguo
  3092
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,hyenoqhmbrua
3056
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,hyenoqhmbrua
  3260
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ihijiavixtn
3212
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ihijiavixtn
  3472
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ijzptiuzbhdogzk
3356
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ijzptiuzbhdogzk
  3600
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,jruqxbd
3452
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,jruqxbd
  3684
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,mobdsrvxjwftx
3592
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,mobdsrvxjwftx
  3816
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ncgbknudt
3772
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ncgbknudt
  4060
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,otujoknwzuc
3924
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,otujoknwzuc
  3108
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,qkkpfbmpgkrix
4012
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,qkkpfbmpgkrix
  3352
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,tizamkqejqjez
3136
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,tizamkqejqjez
  3532
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,vygplyhbhmp
3276
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,vygplyhbhmp
  3628
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,xbzuwlcjy
3488
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,xbzuwlcjy
  3476
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,xcvgbxauyammqayhq
3760
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,xcvgbxauyammqayhq
  3952
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ydekhkuxwmz
3960
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,ydekhkuxwmz
  3248
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\luko5.dll,
3172

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (26 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0
IsDebuggerPresent Nov. 17, 2021, 7:53 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	REGISTRY
resource name	TYPELIB

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Nov. 17, 2021, 7:53 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2002158008 registers.r15: 41184976 registers.rcx: 2001238672 registers.rsi: 0 registers.r10: 3221225715 registers.rbx: 2001238672 registers.rsp: 783640 registers.r11: 3260160 registers.r8: 64 registers.r9: 784232 registers.rdx: 64 registers.r12: 2002150040 registers.rbp: 783904 registers.rdi: 0 registers.rax: 0 registers.r13: 2002165944	1
__exception__ Nov. 17, 2021, 7:53 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2002158008 registers.r15: 40857296 registers.rcx: 2001238672 registers.rsi: 0 registers.r10: 3221225715 registers.rbx: 2001238672 registers.rsp: 2355784 registers.r11: 966416 registers.r8: 64 registers.r9: 2356376 registers.rdx: 64 registers.r12: 2002150040 registers.rbp: 2356048 registers.rdi: 0 registers.rax: 0 registers.r13: 2002165944	1
__exception__ Nov. 17, 2021, 7:53 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2002158008 registers.r15: 40595152 registers.rcx: 2001238672 registers.rsi: 0 registers.r10: 3221225715 registers.rbx: 2001238672 registers.rsp: 1373192 registers.r11: 2342688 registers.r8: 64 registers.r9: 1373784 registers.rdx: 64 registers.r12: 2002150040 registers.rbp: 1373456 registers.rdi: 0 registers.rax: 0 registers.r13: 2002165944	1
__exception__ Nov. 17, 2021, 7:53 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2002158008 registers.r15: 42233552 registers.rcx: 2001238672 registers.rsi: 0 registers.r10: 3221225715 registers.rbx: 2001238672 registers.rsp: 1243288 registers.r11: 2932480 registers.r8: 64 registers.r9: 1243880 registers.rdx: 64 registers.r12: 2002150040 registers.rbp: 1243552 registers.rdi: 0 registers.rax: 0 registers.r13: 2002165944	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 554 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001dd0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f8a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077015000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f92000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f89000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077009000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fdb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f9e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fcc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f96000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f96000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fcc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f9c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f84000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f84000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f99000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f99000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f8e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f8d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fcc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f91000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f89000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fa2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f8b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f97000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fe1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fa1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fe2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ff0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f90000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fdc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f8f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fca000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fca000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007700f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f81000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f82000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fcb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fcb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fcb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f99000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fcb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fcb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f8a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fdb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fcb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 17, 2021, 7:53 a.m.	process_identifier: 196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076f99000 process_handle: 0xffffffffffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00014000', u'virtual_address': u'0x00064000', u'entropy': 7.652330961780087, u'name': u'.rsrc', u'virtual_size': u'0x00013e10'}

entropy

7.65233096178

description

A section with a high entropy has been found

luko5

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All