Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 28, 2023, 7:23 a.m.	June 28, 2023, 7:25 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1cbb726aada6d392c55f2a52113d05eb`
SHA256	`1480f8c6b0fba994c00375e833b1c7aa0399e8aa92f00a41d3038f851d64ff9e`
CRC32	`3B283AF6`
ssdeep	`24576:gk70Trcj+4W2stXjtM4p9Khb4tDF6rR2Go6CPdXJ6W:gkQTAj+oste4pW4F4R2GOd`
PDB Path
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library UltraVNC_Zero - UltraVNC IsPE32 - (no description) PE_Header_Zero - PE File Signature

Lion.exe "C:\Users\test22\AppData\Local\Temp\Lion.exe"
884

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 28, 2023, 7:23 a.m.			0	0
IsDebuggerPresent June 28, 2023, 7:23 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (5 events)

Time & API	Arguments	Status	Return
CryptExportKey June 28, 2023, 7:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006758e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2023, 7:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006758e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2023, 7:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2023, 7:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 28, 2023, 7:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 28, 2023, 7:23 a.m.		1	1	0

One or more processes crashed (50 out of 229 events)

Time & API	Arguments	Status
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0x1fa2 @ 0x401fa2 exception.instruction_r: f3 aa 8b 45 f0 8b 4d 08 8b 55 10 03 c8 2b d0 52 exception.symbol: lion+0xf088 exception.instruction: stosb byte ptr es:[edi], al exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61576 exception.address: 0x40f088 registers.esp: 1636996 registers.edi: 4350244 registers.eax: 0 registers.ebp: 1637012 registers.edx: 0 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 12	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4353968 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 7277	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4358064 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 7245	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4362160 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 7213	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4366256 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 7181	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4370352 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 7149	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4374448 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 7117	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4378544 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 7085	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4382640 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 7053	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4386736 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 7021	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4390832 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6989	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4394928 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6957	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4399024 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6925	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4403120 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6893	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4407216 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6861	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4411312 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6829	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4415408 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6797	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4419504 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6765	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4423600 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6733	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4427696 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6701	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4431792 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6669	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4435888 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6637	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4439984 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6605	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4444080 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6573	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4448176 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6541	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4452272 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6509	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4456368 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6477	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4460464 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6445	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4464560 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6413	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4468656 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6381	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4472752 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6349	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4476848 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6317	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4480944 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6285	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4485040 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6253	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4489136 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6221	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4493232 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6189	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4497328 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6157	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4501424 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6125	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4505520 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6093	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4509616 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6061	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4513712 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 6029	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4517808 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 5997	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4521904 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 5965	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4526000 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 5933	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4530096 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 5901	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4534192 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 5869	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4538288 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 5837	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4542384 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 5805	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4546480 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 5773	1
__exception__ June 28, 2023, 7:23 a.m.	stacktrace: lion+0xf054 @ 0x40f054 lion+0xf0a0 @ 0x40f0a0 lion+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: lion+0xefff exception.address: 0x40efff exception.module: Lion.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4550576 registers.eax: 4350256 registers.ebp: 1636944 registers.edx: 44 registers.ebx: 0 registers.esi: 33292320 registers.ecx: 5741	1

Allocates read-write-execute memory (usually to unpack itself) (38 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73eb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73eb2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02401000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02402000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02403000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02404000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000e4c00', u'virtual_address': u'0x00026000', u'entropy': 7.999684898907838, u'name': u'.rsrc', u'virtual_size': u'0x000e4b74'}

entropy

7.99968489891

description

A section with a high entropy has been found

entropy

0.871428571429

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 28, 2023, 7:23 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess June 28, 2023, 7:23 a.m.	status_code: 0xffffffff process_identifier: 2100 process_handle: 0x00000234		0	0
NtTerminateProcess June 28, 2023, 7:23 a.m.	status_code: 0xffffffff process_identifier: 2100 process_handle: 0x00000234	1	0	0

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 2100 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000022c		3221225496	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 884 manipulating memory of non-child process 2100
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 2100 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000022c		3221225496	0

Executed a process and injected code into it, probably while unpacking (7 events)

Time & API	Arguments	Status	Return
NtResumeThread June 28, 2023, 7:23 a.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 884	1	0
NtResumeThread June 28, 2023, 7:23 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 884	1	0
NtResumeThread June 28, 2023, 7:23 a.m.	thread_handle: 0x000001d0 suspend_count: 1 process_identifier: 884	1	0
NtResumeThread June 28, 2023, 7:23 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 884	1	0
CreateProcessInternalW June 28, 2023, 7:23 a.m.	thread_identifier: 2104 thread_handle: 0x00000228 process_identifier: 2100 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000022c	1	1
NtGetContextThread June 28, 2023, 7:23 a.m.	thread_handle: 0x00000228	1	0
NtAllocateVirtualMemory June 28, 2023, 7:23 a.m.	process_identifier: 2100 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000022c		3221225496

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Generic
ALYac	Trojan.GenericKD.67654223
Cylance	unsafe
Zillya	Trojan.Generic.Win32.1751907
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:MSIL/NanoCore.1f2543f4
K7GW	Trojan ( 005a1d701 )
K7AntiVirus	Trojan ( 005a1d701 )
VirIT	Trojan.Win32.Genus.RMP
Cyren	W32/ABRisk.MFFE-6421
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	MSIL/NanoCore.E
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.GenericKD.67654223
MicroWorld-eScan	Trojan.GenericKD.67654223
Avast	Win32:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.13d9c83e
Emsisoft	Trojan.GenericKD.67654223 (B)
F-Secure	Trojan.TR/AD.BDSNanoCoreClient.muyhx
DrWeb	Trojan.Nanocore.23
VIPRE	Trojan.GenericKD.67654223
TrendMicro	TROJ_GEN.R03BC0XFN23
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
FireEye	Generic.mg.1cbb726aada6d392
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
GData	Trojan.GenericKD.67654223
Webroot	W32.Malware.Gen
Avira	TR/AD.BDSNanoCoreClient.muyhx
Antiy-AVL	Trojan/MSIL.Kryptik
Gridinsoft	Trojan.Win32.NanoCore.bot
Xcitium	Malware@#3hqgcz5o09eyr
Arcabit	Trojan.Generic.D408524F
ZoneAlarm	HEUR:Trojan.Win32.Generic
Microsoft	Backdoor:MSIL/Nanocore.S!MTB
Google	Detected
AhnLab-V3	Trojan/Win.PWSX-gen.C5444206
McAfee	Artemis!1CBB726AADA6
MAX	malware (ai score=80)
VBA32	Trojan.NanoBot
Malwarebytes	Trojan.MalPack
Panda	Trj/CI.A
Zoner	Trojan.Win32.157930

Lion.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All