Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 8, 2023, 7:57 a.m.	March 8, 2023, 7:59 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`34517f9ebbfdc93ea5590bdff48b8c0b`
SHA256	`6ceb50da4275db929de139517ee96a5617ca2a8dead8db120d4f43a467f2fbf5`
CRC32	`69BD76B2`
ssdeep	`24576:z9Pdh1k8BKSPzr//PYp18m27hly2tjrPAU1th7ERmVts112HvUU9/JPrThakPTc:hPdhb9//M8/yEsCERL2HvUU7zFakPTc`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Malicious_Packer_Zero - Malicious Packer anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description) PE_Header_Zero - PE File Signature

358.exe "C:\Users\test22\AppData\Local\Temp\358.exe"
884

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
43.154.61.211	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 8, 2023, 7:57 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 8, 2023, 7:57 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sedata

One or more processes crashed (50 out of 372 events)

Time & API	Arguments	Status
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: 358+0x14763b @ 0x54763b 358+0x181734 @ 0x581734 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: eb 09 70 e7 77 12 e1 58 9a f5 e4 c3 e9 51 ff ff exception.symbol: 358+0x9f886 exception.instruction: jmp 0x49f891 exception.module: 358.exe exception.exception_code: 0x80000003 exception.offset: 653446 exception.address: 0x49f886 registers.esp: 1638008 registers.edi: 0 registers.eax: 0 registers.ebp: 1638052 registers.edx: 582600 registers.ebx: 5 registers.esi: 7596120 registers.ecx: 7596120	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 1637020 registers.edi: 1637020 registers.eax: 3891709298 registers.ebp: 1637256 registers.edx: 4800625 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800625	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 40434492 registers.edi: 40434492 registers.eax: 1161732833 registers.ebp: 40434728 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 42793784 registers.edi: 42793784 registers.eax: 1161732833 registers.ebp: 42794020 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: 0x80 exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 45415212 registers.edi: 45415212 registers.eax: 1161732833 registers.ebp: 45415448 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 48036684 registers.edi: 48036684 registers.eax: 1161732833 registers.ebp: 48036920 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 41483064 registers.edi: 41483064 registers.eax: 1110227812 registers.ebp: 41483300 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 44104508 registers.edi: 44104508 registers.eax: 1110227812 registers.ebp: 44104744 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 46725956 registers.edi: 46725956 registers.eax: 1110227812 registers.ebp: 46726192 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 46725976 registers.edi: 46725976 registers.eax: 1110227812 registers.ebp: 46726212 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 49347416 registers.edi: 49347416 registers.eax: 1110227812 registers.ebp: 49347652 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 40434492 registers.edi: 40434492 registers.eax: 1161732833 registers.ebp: 40434728 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 42793784 registers.edi: 42793784 registers.eax: 1161732833 registers.ebp: 42794020 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: 0x80 exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 45415212 registers.edi: 45415212 registers.eax: 1161732833 registers.ebp: 45415448 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 41483064 registers.edi: 41483064 registers.eax: 1110227812 registers.ebp: 41483300 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 44104508 registers.edi: 44104508 registers.eax: 1110227812 registers.ebp: 44104744 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 48036684 registers.edi: 48036684 registers.eax: 1161732833 registers.ebp: 48036920 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 40434492 registers.edi: 40434492 registers.eax: 1161732833 registers.ebp: 40434728 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 42793784 registers.edi: 42793784 registers.eax: 1161732833 registers.ebp: 42794020 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: 0x80 exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 45415212 registers.edi: 45415212 registers.eax: 1161732833 registers.ebp: 45415448 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 41483064 registers.edi: 41483064 registers.eax: 1110227812 registers.ebp: 41483300 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 44104508 registers.edi: 44104508 registers.eax: 1110227812 registers.ebp: 44104744 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 42793784 registers.edi: 42793784 registers.eax: 1161732833 registers.ebp: 42794020 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: 0x80 exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 45415212 registers.edi: 45415212 registers.eax: 1161732833 registers.ebp: 45415448 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 40434492 registers.edi: 40434492 registers.eax: 1161732833 registers.ebp: 40434728 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 41483064 registers.edi: 41483064 registers.eax: 1110227812 registers.ebp: 41483300 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 44104508 registers.edi: 44104508 registers.eax: 1110227812 registers.ebp: 44104744 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 40434492 registers.edi: 40434492 registers.eax: 1161732833 registers.ebp: 40434728 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 42793784 registers.edi: 42793784 registers.eax: 1161732833 registers.ebp: 42794020 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: 0x80 exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 45415212 registers.edi: 45415212 registers.eax: 1161732833 registers.ebp: 45415448 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 48036684 registers.edi: 48036684 registers.eax: 1161732833 registers.ebp: 48036920 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 41483064 registers.edi: 41483064 registers.eax: 1110227812 registers.ebp: 41483300 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 44104508 registers.edi: 44104508 registers.eax: 1110227812 registers.ebp: 44104744 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 42793784 registers.edi: 42793784 registers.eax: 1161732833 registers.ebp: 42794020 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 40434492 registers.edi: 40434492 registers.eax: 1161732833 registers.ebp: 40434728 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: 0x80 exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 45415212 registers.edi: 45415212 registers.eax: 1161732833 registers.ebp: 45415448 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 49347416 registers.edi: 49347416 registers.eax: 1110227812 registers.ebp: 49347652 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 46725956 registers.edi: 46725956 registers.eax: 1110227812 registers.ebp: 46726192 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 44104508 registers.edi: 44104508 registers.eax: 1110227812 registers.ebp: 44104744 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 46725976 registers.edi: 46725976 registers.eax: 1110227812 registers.ebp: 46726212 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 41483064 registers.edi: 41483064 registers.eax: 1110227812 registers.ebp: 41483300 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 48036684 registers.edi: 48036684 registers.eax: 1161732833 registers.ebp: 48036920 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 40434492 registers.edi: 40434492 registers.eax: 1161732833 registers.ebp: 40434728 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: 0x80 exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 45415212 registers.edi: 45415212 registers.eax: 1161732833 registers.ebp: 45415448 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 42793784 registers.edi: 42793784 registers.eax: 1161732833 registers.ebp: 42794020 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 44104508 registers.edi: 44104508 registers.eax: 1110227812 registers.ebp: 44104744 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 41483064 registers.edi: 41483064 registers.eax: 1110227812 registers.ebp: 41483300 registers.edx: 4800999 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800999	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 40434492 registers.edi: 40434492 registers.eax: 1161732833 registers.ebp: 40434728 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: 0x80 exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 45415212 registers.edi: 45415212 registers.eax: 1161732833 registers.ebp: 45415448 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: 8d 14 31 2b d4 7d 30 7c 18 f5 e4 17 7e 0e 64 93 exception.symbol: 358+0xd206d exception.instruction: lea edx, dword ptr [ecx + esi] exception.module: 358.exe exception.exception_code: 0x80000004 exception.offset: 860269 exception.address: 0x4d206d registers.esp: 42793784 registers.edi: 42793784 registers.eax: 1161732833 registers.ebp: 42794020 registers.edx: 4800799 registers.ebx: 268671696 registers.esi: 5068572 registers.ecx: 4800799	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 4861 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 region_size: 1576960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ca000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:57 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW March 8, 2023, 7:58 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 9931632640 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW March 8, 2023, 7:58 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 9931632640 root_path: D:\ total_number_of_bytes: 34252779520		0	0

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001870e8

size

0x00042028

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001c9110

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001c9124

size

0x00000418

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (7 events)

Time & API	Arguments	Status	Return
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x0000026c process_name: taskhost.exe process_identifier: 1156	1	1
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x0000026c process_name: sdclt.exe process_identifier: 1540	1	1
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x0000026c process_name: SearchProtocolHost.exe process_identifier: 632	1	1
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x0000026c process_name: conhost.exe process_identifier: 1572	1	1
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x0000026c process_name: SearchFilterHost.exe process_identifier: 1028	1	1
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x0000026c process_name: 358.exe process_identifier: 884	1	1
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x0000026c process_name: pw.exe process_identifier: 1532	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 8, 2023, 7:58 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 16384 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x040f1000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x00029000', u'virtual_address': u'0x00001000', u'entropy': 7.977653803992401, u'name': u'.text', u'virtual_size': u'0x00093000'}

entropy

7.97765380399

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000f2000', u'virtual_address': u'0x00094000', u'entropy': 7.58692583780819, u'name': u'.sedata', u'virtual_size': u'0x000f2000'}

entropy

7.58692583781

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001000', u'virtual_address': u'0x001ca000', u'entropy': 7.981057857289275, u'name': u'.sedata', u'virtual_size': u'0x00001000'}

entropy

7.98105785729

description

A section with a high entropy has been found

entropy

0.806818181818

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 51 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x0000026c process_name: pw.exe process_identifier: 7602224		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000270 process_name: pw.exe process_identifier: 3014768		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000274 process_name: pw.exe process_identifier: 7274573		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000278 process_name: pw.exe process_identifier: 5046390		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000294 process_name: pw.exe process_identifier: 7536688		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000298 process_name: pw.exe process_identifier: 6619246		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x0000029c process_name: pw.exe process_identifier: 6881397		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002a0 process_name: pw.exe process_identifier: 7602277		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002a4 process_name: pw.exe process_identifier: 5177421		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002a8 process_name: pw.exe process_identifier: 5046338		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002ac process_name: pw.exe process_identifier: 6619235		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002b0 process_name: pw.exe process_identifier: 4456552		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002b4 process_name: pw.exe process_identifier: 6553705		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002b8 process_name: pw.exe process_identifier: 6815859		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002bc process_name: pw.exe process_identifier: 6619251		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002c0 process_name: pw.exe process_identifier: 6684769		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002c4 process_name: pw.exe process_identifier: 6357091		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002c8 process_name: pw.exe process_identifier: 7733331		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002cc process_name: pw.exe process_identifier: 6815860		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002d0 process_name: pw.exe process_identifier: 7667815		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002d4 process_name: pw.exe process_identifier: 6619251		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002d8 process_name: pw.exe process_identifier: 7209061		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002dc process_name: pw.exe process_identifier: 3014768		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002e0 process_name: pw.exe process_identifier: 5374032		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002e4 process_name: e process_identifier: 7471201		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002e8 process_name: pw.exe process_identifier: 6619251		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002ec process_name: pw.exe process_identifier: 7733331		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002f0 process_name: pw.exe process_identifier: 7667821		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002f4 process_name: pw.exe process_identifier: 7274605		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002f8 process_name: pw.exe process_identifier: 5439553		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x000002fc process_name: pw.exe process_identifier: 7602290		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000300 process_name: pw.exe process_identifier: 5439555		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000304 process_name: pw.exe process_identifier: 4390992		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000308 process_name: pw.exe process_identifier: 6553705		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x0000030c process_name: pw.exe process_identifier: 4522030		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000310 process_name: pw.exe process_identifier: 6619182		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000314 process_name: pw.exe process_identifier: 3670069		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000318 process_name: at.exe process_identifier: 6684781		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x0000031c process_name: pw.exe process_identifier: 7536756		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000320 process_name: pw.exe process_identifier: 4784233		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000324 process_name: pw.exe process_identifier: 7471170		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000328 process_name: pw.exe process_identifier: 7143542		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x0000032c process_name: pw.exe process_identifier: 6553715		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000330 process_name: pw.exe process_identifier: 7864421		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000334 process_name: process_identifier: 7733362		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000338 process_name: pw.exe process_identifier: 3342387		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x0000033c process_name: pw.exe process_identifier: 3014736		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000340 process_name: pw.exe process_identifier: 7471220		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000344 process_name: pw.exe process_identifier: 6619219		0	0
Process32NextW March 8, 2023, 7:57 a.m.	snapshot_handle: 0x00000348 process_name: pw.exe process_identifier: 4980808		0	0

Communicates with host for which no DNS query was performed (1 event)

host

43.154.61.211

Creates known Nitol/ServStart files, registry keys and/or mutexes (1 event)

regkey

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Abcdef

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetectNet.01
Lionic	Hacktool.Win32.Generic.mzIW
tehtris	Generic.Malware
FireEye	Generic.mg.34517f9ebbfdc93e
McAfee	Artemis!34517F9EBBFD
Malwarebytes	Ramnit.Virus.FileInfector.DDS
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005239691 )
Alibaba	Packed:Win32/NoobyProtect.d79656f8
K7GW	Adware ( 005693e61 )
CrowdStrike	win/malicious_confidence_100% (D)
BitDefenderTheta	Gen:NN.ZexaF.36308.yv0@auz9Mepb
Cyren	W32/Trojan.HPC.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.NoobyProtect.M suspicious
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:Backdoor.Win32.Lotok.lna
BitDefender	Trojan.GenericKD.65823226
Avast	RATX-gen [Trj]
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	BehavesLike.Win32.Injector.tc
Trapmine	malicious.high.ml.score
SentinelOne	Static AI - Malicious PE
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1237427
Antiy-AVL	GrayWare/Win32.Safeguard.a
Gridinsoft	Trojan.Heur!.03010021
Xcitium	TrojWare.Win32.Amtar.KNB@4wlm66
Microsoft	Trojan:Win32/Casdet!rfn
GData	Win32.Packed.NoobyProtect.B
Google	Detected
AhnLab-V3	Trojan/Win.Leonem.C5391929
MAX	malware (ai score=85)
Cylance	unsafe
Rising	Trojan.Generic@AI.98 (RDML:VAs4Eaj1i2LXHlcbawk37Q)
Ikarus	PUA.NoobyProtect
MaxSecure	Virus.W32.packed.Noobyprotect.B
Fortinet	Riskware/Application
AVG	RATX-gen [Trj]

358.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All