Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 2, 2023, 8:47 a.m.	Oct. 2, 2023, 8:51 a.m.

Size	744.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f874356ddee152fcdb366283fbb70d86`
SHA256	`ae346575b504f4c6440a8c7f3f3b6d3ca3507679cb851aa1572edac210ff1eef`
CRC32	`470422E9`
ssdeep	`12288:tUs9rDJBnYwPzIFb4Hkslb58JJToePbRp/D9k5Z7Jjlpqj74F4rN+KvLU/7frwFQ:qs9rN9YwPzIFbDslb50xVdDm5Z1ppqXS`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

redlol.exe "C:\Users\test22\AppData\Local\Temp\redlol.exe"
1508
- redlol.exe "C:\Users\test22\AppData\Local\Temp\redlol.exe"
  516

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
121.254.136.18	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (50 out of 12260 events)

Time & API	Arguments	Status
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: 0x476fe5 EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 0x40151e RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 0f 09 6b 92 7a b6 dc 35 10 45 86 e0 71 b6 6b 26 exception.instruction: wbinvd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d91111 registers.esp: 1636920 registers.edi: 31002944 registers.eax: 4676644 registers.ebp: 1637152 registers.edx: 1637624 registers.ebx: 0 registers.esi: 6834312 registers.ecx: 30998528	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 0x476fe5 EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 0x40151e RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ec 0b 21 e2 42 4a c6 4a 4e b8 49 52 d0 18 3c 8c exception.instruction: in al, dx exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d9125a registers.esp: 1635116 registers.edi: 1635796 registers.eax: 97909727 registers.ebp: 1635180 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 31003406 registers.ecx: 757	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: 0x476fe5 EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 0x40151e RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: a3 00 00 00 00 1a 59 d7 f6 02 4f ee 02 6a ca eb exception.instruction: mov dword ptr [0], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1d91d5d registers.esp: 1636940 registers.edi: 31005670 registers.eax: 4676644 registers.ebp: 1637152 registers.edx: 1637624 registers.ebx: 0 registers.esi: 6834312 registers.ecx: 30998528	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: f4 a5 55 b8 3b 74 b2 ad b4 3c 43 48 c2 70 ab 46 exception.instruction: hlt exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d90794 registers.esp: 1635120 registers.edi: 0 registers.eax: 0 registers.ebp: 1635816 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 31000677 registers.ecx: 31005670	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: 0f 06 95 1b c8 45 90 42 ab 53 74 b6 21 10 27 5e exception.instruction: clts exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d9249e registers.esp: 1636932 registers.edi: 3 registers.eax: 4676644 registers.ebp: 31008376 registers.edx: 1637624 registers.ebx: 0 registers.esi: 6834312 registers.ecx: 30998528	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: e6 82 e9 65 f3 ff ff 98 96 2a 00 4a 77 db e2 a2 exception.instruction: out -0x7e, al exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d915f9 registers.esp: 1635128 registers.edi: 1635808 registers.eax: 16 registers.ebp: 1635192 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 31001135 registers.ecx: 4294963462	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: f4 e9 04 fc ff ff e9 50 10 00 00 0f 85 df 20 00 exception.instruction: hlt exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d9070f registers.esp: 1633324 registers.edi: 1634004 registers.eax: 16 registers.ebp: 31002440 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 0 registers.ecx: 31001135	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: 0f 09 52 e9 de 0d 00 00 35 be c3 31 04 25 98 44 exception.instruction: wbinvd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d9039f registers.esp: 1635100 registers.edi: 1635808 registers.eax: 16 registers.ebp: 1635192 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 31000078 registers.ecx: 4294963462	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: 0x401326 0x401326 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77911ecd exception.instruction_r: cf e9 26 df ff ff e9 cc f4 ff ff e9 6c 02 00 00 exception.instruction: iretd exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1d92407 registers.esp: 1636904 registers.edi: 3 registers.eax: 4676644 registers.ebp: 1637132 registers.edx: 1637624 registers.ebx: 0 registers.esi: 31004387 registers.ecx: 30998528	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: f4 6a 74 b0 b7 d0 c9 7e 22 90 4e 68 eb 03 2d 6a exception.instruction: hlt exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d90056 registers.esp: 1636876 registers.edi: 3 registers.eax: 4676644 registers.ebp: 30998697 registers.edx: 1637624 registers.ebx: 31008584 registers.esi: 6834312 registers.ecx: 30998528	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: e7 bc 45 25 df e6 3f 42 28 72 ac 39 bb fc 0f 41 exception.instruction: out -0x44, eax exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d90deb registers.esp: 1635072 registers.edi: 0 registers.eax: 16 registers.ebp: 1635136 registers.edx: 2005822157 registers.ebx: 1635752 registers.esi: 31002174 registers.ecx: 30998697	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: 0x401326 0x401326 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77911ecd exception.instruction_r: 66 6d 64 76 48 d9 d9 ee 32 84 2d f2 37 ac 96 19 exception.instruction: insw word ptr es:[edi], dx exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d92690 registers.esp: 1636904 registers.edi: 3 registers.eax: 4676644 registers.ebp: 1637132 registers.edx: 1637624 registers.ebx: 31008584 registers.esi: 6834312 registers.ecx: 30998528	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: 0f 09 91 9a 04 ad 59 e3 80 31 d3 7f da be 67 4b exception.instruction: wbinvd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d904c2 registers.esp: 1635096 registers.edi: 0 registers.eax: 16 registers.ebp: 30999809 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 0 registers.ecx: 31008584	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: 6f e9 8c 03 00 00 e9 47 fc ff ff 81 e1 a1 a8 25 exception.instruction: outsd dx, dword ptr [esi] exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d91c23 registers.esp: 1635072 registers.edi: 0 registers.eax: 184 registers.ebp: 31000196 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 0 registers.ecx: 4294965106	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: e5 21 19 9f b8 39 5f c7 1b 51 b9 c2 e1 d6 0a 11 exception.instruction: in eax, 0x21 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d9253e registers.esp: 1633268 registers.edi: 31008239 registers.eax: 184 registers.ebp: 1633948 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 0 registers.ecx: 1375	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: ec e9 76 fd ff ff 83 c4 08 e9 80 17 00 00 01 4c exception.instruction: in al, dx exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d90475 registers.esp: 1631448 registers.edi: 30999253 registers.eax: 16 registers.ebp: 1631528 registers.edx: 2005822157 registers.ebx: 1632144 registers.esi: 0 registers.ecx: 31008239	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: 66 6d ee 2a ab 65 cd e4 67 8a 4e ad 49 9c 99 53 exception.instruction: insw word ptr es:[edi], dx exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d90e9e registers.esp: 1633248 registers.edi: 1633320 registers.eax: 184 registers.ebp: 1633948 registers.edx: 2005822157 registers.ebx: 31005641 registers.esi: 0 registers.ecx: 1375	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: e7 b1 e9 4b fb ff ff 50 e9 ac 14 00 00 b9 fe f8 exception.instruction: out -0x4f, eax exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d9118a registers.esp: 1633260 registers.edi: 0 registers.eax: 184 registers.ebp: 1633948 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 31002041 registers.ecx: 1375	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: 6f f2 04 34 5f aa 89 ba 5e a2 0d 51 e3 c8 c7 6e exception.instruction: outsd dx, dword ptr [esi] exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x1d90c49 registers.esp: 1635100 registers.edi: 0 registers.eax: 184 registers.ebp: 31001782 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 0 registers.ecx: 4294965106	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: 66 6d e9 c0 0b 00 00 51 56 50 52 e8 00 00 00 00 exception.instruction: insw word ptr es:[edi], dx exception.exception_code: 0xc0000096 exception.symbol: redlol+0x91f3 exception.address: 0x4091f3 registers.esp: 1638324 registers.edi: 0 registers.eax: 0 registers.ebp: 0 registers.edx: 64 registers.ebx: 2130567168 registers.esi: 4234777 registers.ecx: 772079616	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: ec 9b 55 d9 63 45 10 66 92 44 b6 cc db 92 43 27 exception.instruction: in al, dx exception.exception_code: 0xc0000096 exception.symbol: redlol+0x9219 exception.address: 0x409219 registers.esp: 1636520 registers.edi: 0 registers.eax: 420474629 registers.ebp: 1636584 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 4235053 registers.ecx: 4234777	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: 6c e9 fe fa ff ff 56 52 e8 00 22 00 00 e9 aa 01 exception.instruction: insb byte ptr es:[edi], dx exception.exception_code: 0xc0000096 exception.symbol: redlol+0x97f5 exception.address: 0x4097f5 registers.esp: 1634716 registers.edi: 4231786 registers.eax: 16 registers.ebp: 1634780 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 0 registers.ecx: 4235053	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: cd ae c0 ad cb d7 3d 8c 8a b3 3e ac fa a6 be 46 exception.instruction: int 0xae exception.exception_code: 0xc0000005 exception.symbol: redlol+0x9e66 exception.address: 0x409e66 registers.esp: 1634712 registers.edi: 0 registers.eax: 16 registers.ebp: 1634780 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 4231891 registers.ecx: 4235053	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: ee e9 10 04 00 00 50 e9 d3 03 00 00 b8 ad 61 18 exception.instruction: out dx, al exception.exception_code: 0xc0000096 exception.symbol: redlol+0x9b27 exception.address: 0x409b27 registers.esp: 1634676 registers.edi: 0 registers.eax: 16 registers.ebp: 4234970 registers.edx: 2005822157 registers.ebx: 4233135 registers.esi: 0 registers.ecx: 4235053	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: 0f 06 97 cb c1 89 70 33 28 fb 4d cd 08 60 26 87 exception.instruction: clts exception.exception_code: 0xc0000096 exception.symbol: redlol+0x9781 exception.address: 0x409781 registers.esp: 1634704 registers.edi: 0 registers.eax: 16 registers.ebp: 1634780 registers.edx: 2005822157 registers.ebx: 4233135 registers.esi: 0 registers.ecx: 4235053	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: cf 13 cb 36 04 03 78 a6 9c 5c e8 f8 27 70 5c 2c exception.instruction: iretd exception.exception_code: 0xc0000005 exception.symbol: redlol+0x9ab8 exception.address: 0x409ab8 registers.esp: 1632900 registers.edi: 0 registers.eax: 184 registers.ebp: 4234380 registers.edx: 2005822157 registers.ebx: 1633580 registers.esi: 0 registers.ecx: 1123	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: e4 69 e9 bc 01 00 00 b9 9d fb ff ff e9 fc 03 00 exception.instruction: in al, 0x69 exception.exception_code: 0xc0000096 exception.symbol: redlol+0x9872 exception.address: 0x409872 registers.esp: 1636520 registers.edi: 0 registers.eax: 16 registers.ebp: 4233586 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 0 registers.ecx: 4234777	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: cc ba ed 7b 4d d6 34 f7 a9 cf d8 70 1b d6 37 b9 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: redlol+0x94c6 exception.address: 0x4094c6 registers.esp: 1634716 registers.edi: 0 registers.eax: 756572589 registers.ebp: 1634780 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 4233058 registers.ecx: 920	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: 6c 47 ec e3 8b 9b 5f 04 b0 57 05 62 11 b6 f6 d9 exception.instruction: insb byte ptr es:[edi], dx exception.exception_code: 0xc0000096 exception.symbol: redlol+0x981c exception.address: 0x40981c registers.esp: 1632912 registers.edi: 0 registers.eax: 0 registers.ebp: 4233283 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 0 registers.ecx: 4233058	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 0f 09 be de cb 47 aa 94 97 38 d3 54 56 3d b7 33 exception.instruction: wbinvd exception.exception_code: 0xc0000096 exception.symbol: redlol+0xa1e9 exception.address: 0x40a1e9 registers.esp: 6881084 registers.edi: 0 registers.eax: 0 registers.ebp: 6881160 registers.edx: 2130553844 registers.ebx: 4235922 registers.esi: 0 registers.ecx: 772079616	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 66 6f 32 d7 d0 11 29 30 bd b5 a1 27 38 6c d1 83 exception.instruction: outsw dx, word ptr [esi] exception.exception_code: 0xc0000096 exception.symbol: redlol+0xa343 exception.address: 0x40a343 registers.esp: 6879280 registers.edi: 4236337 registers.eax: 0 registers.ebp: 6879344 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 0 registers.ecx: 4235922	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: 0f 08 e9 16 04 00 00 b8 f8 ab a6 00 35 e8 ab a6 exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: redlol+0xa2b8 exception.address: 0x40a2b8 registers.esp: 6879280 registers.edi: 0 registers.eax: 917320306 registers.ebp: 4237257 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 6879960 registers.ecx: 2356	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: 66 6f 19 a2 7f 1f 60 68 09 f2 7f fe 8b 5d ea 06 exception.instruction: outsw dx, word ptr [esi] exception.exception_code: 0xc0000096 exception.symbol: redlol+0xaa3e exception.address: 0x40aa3e registers.esp: 6877476 registers.edi: 0 registers.eax: 16 registers.ebp: 6877540 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 4238834 registers.ecx: 4237257	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: cc f8 b2 04 6a a1 7e 1c 56 5a 0c 2e 85 d5 02 bd exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: redlol+0xb14e exception.address: 0x40b14e registers.esp: 6877468 registers.edi: 6878156 registers.eax: 16 registers.ebp: 6877540 registers.edx: 2005822157 registers.ebx: 4238363 registers.esi: 0 registers.ecx: 4237257	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: ef e9 6b 04 00 00 58 59 0f 85 2b 05 00 00 b9 ab exception.instruction: out dx, eax exception.exception_code: 0xc0000096 exception.symbol: redlol+0xae9d exception.address: 0x40ae9d registers.esp: 6879284 registers.edi: 0 registers.eax: 0 registers.ebp: 4240297 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 0 registers.ecx: 2356	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: 0f 08 79 87 87 7e d1 79 7b e2 46 9b f1 73 f3 f4 exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: redlol+0xa108 exception.address: 0x40a108 registers.esp: 6881056 registers.edi: 0 registers.eax: 0 registers.ebp: 4235559 registers.edx: 2130553844 registers.ebx: 6881220 registers.esi: 0 registers.ecx: 772079616	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fa ea e6 ef 45 f7 58 4d 63 5c 3c bb 84 8d 46 ec exception.instruction: cli exception.exception_code: 0xc0000096 exception.symbol: redlol+0xaeda exception.address: 0x40aeda registers.esp: 6881068 registers.edi: 0 registers.eax: 0 registers.ebp: 6881160 registers.edx: 2130553844 registers.ebx: 6881220 registers.esi: 4239225 registers.ecx: 772079616	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 0f 08 5e ab 68 e2 b9 24 4b 1e 70 c5 01 5e d2 78 exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: redlol+0xc45c exception.address: 0x40c45c registers.esp: 6881080 registers.edi: 0 registers.eax: 4231168 registers.ebp: 6881160 registers.edx: 2130553844 registers.ebx: 444 registers.esi: 4245273 registers.ecx: 4248136	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 0f 09 be de cb 47 aa 94 97 38 d3 54 56 3d b7 33 exception.instruction: wbinvd exception.exception_code: 0xc0000096 exception.symbol: redlol+0xa1e9 exception.address: 0x40a1e9 registers.esp: 6881084 registers.edi: 0 registers.eax: 0 registers.ebp: 6881160 registers.edx: 2130553844 registers.ebx: 4235922 registers.esi: 0 registers.ecx: 772079616	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 66 6f 32 d7 d0 11 29 30 bd b5 a1 27 38 6c d1 83 exception.instruction: outsw dx, word ptr [esi] exception.exception_code: 0xc0000096 exception.symbol: redlol+0xa343 exception.address: 0x40a343 registers.esp: 6879280 registers.edi: 4236337 registers.eax: 0 registers.ebp: 6879344 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 0 registers.ecx: 4235922	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: 0f 08 e9 16 04 00 00 b8 f8 ab a6 00 35 e8 ab a6 exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: redlol+0xa2b8 exception.address: 0x40a2b8 registers.esp: 6879280 registers.edi: 0 registers.eax: 917320306 registers.ebp: 4237257 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 6879960 registers.ecx: 2356	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: 66 6f 19 a2 7f 1f 60 68 09 f2 7f fe 8b 5d ea 06 exception.instruction: outsw dx, word ptr [esi] exception.exception_code: 0xc0000096 exception.symbol: redlol+0xaa3e exception.address: 0x40aa3e registers.esp: 6877476 registers.edi: 0 registers.eax: 16 registers.ebp: 6877540 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 4238834 registers.ecx: 4237257	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: cc f8 b2 04 6a a1 7e 1c 56 5a 0c 2e 85 d5 02 bd exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: redlol+0xb14e exception.address: 0x40b14e registers.esp: 6877468 registers.edi: 6878156 registers.eax: 16 registers.ebp: 6877540 registers.edx: 2005822157 registers.ebx: 4238363 registers.esi: 0 registers.ecx: 4237257	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: ef e9 6b 04 00 00 58 59 0f 85 2b 05 00 00 b9 ab exception.instruction: out dx, eax exception.exception_code: 0xc0000096 exception.symbol: redlol+0xae9d exception.address: 0x40ae9d registers.esp: 6879284 registers.edi: 0 registers.eax: 0 registers.ebp: 4240297 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 0 registers.ecx: 2356	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: 0f 08 79 87 87 7e d1 79 7b e2 46 9b f1 73 f3 f4 exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: redlol+0xa108 exception.address: 0x40a108 registers.esp: 6881056 registers.edi: 0 registers.eax: 0 registers.ebp: 4235559 registers.edx: 2130553844 registers.ebx: 6881220 registers.esi: 0 registers.ecx: 772079616	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fa ea e6 ef 45 f7 58 4d 63 5c 3c bb 84 8d 46 ec exception.instruction: cli exception.exception_code: 0xc0000096 exception.symbol: redlol+0xaeda exception.address: 0x40aeda registers.esp: 6881068 registers.edi: 0 registers.eax: 0 registers.ebp: 6881160 registers.edx: 2130553844 registers.ebx: 6881220 registers.esi: 4239225 registers.ecx: 772079616	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 0f 09 be de cb 47 aa 94 97 38 d3 54 56 3d b7 33 exception.instruction: wbinvd exception.exception_code: 0xc0000096 exception.symbol: redlol+0xa1e9 exception.address: 0x40a1e9 registers.esp: 6881084 registers.edi: 0 registers.eax: 0 registers.ebp: 6881160 registers.edx: 2130553844 registers.ebx: 4235922 registers.esi: 0 registers.ecx: 772079616	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 66 6f 32 d7 d0 11 29 30 bd b5 a1 27 38 6c d1 83 exception.instruction: outsw dx, word ptr [esi] exception.exception_code: 0xc0000096 exception.symbol: redlol+0xa343 exception.address: 0x40a343 registers.esp: 6879280 registers.edi: 4236337 registers.eax: 0 registers.ebp: 6879344 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 0 registers.ecx: 4235922	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: exception.instruction_r: 0f 08 e9 16 04 00 00 b8 f8 ab a6 00 35 e8 ab a6 exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: redlol+0xa2b8 exception.address: 0x40a2b8 registers.esp: 6879280 registers.edi: 0 registers.eax: 917320306 registers.ebp: 4237257 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 6879960 registers.ecx: 2356	1
__exception__ Oct. 2, 2023, 8:47 a.m.	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x778e6a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x746c482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x778b0143 exception.instruction_r: 66 6f 19 a2 7f 1f 60 68 09 f2 7f fe 8b 5d ea 06 exception.instruction: outsw dx, word ptr [esi] exception.exception_code: 0xc0000096 exception.symbol: redlol+0xaa3e exception.address: 0x40aa3e registers.esp: 6877476 registers.edi: 0 registers.eax: 16 registers.ebp: 6877540 registers.edx: 2005822157 registers.ebx: 0 registers.esi: 4238834 registers.ecx: 4237257	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 2, 2023, 8:47 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2023, 8:47 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778bf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2023, 8:47 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2023, 8:47 a.m.	process_identifier: 1508 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 2, 2023, 8:47 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 2, 2023, 8:47 a.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778bf000 process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 2, 2023, 8:47 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003f0000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0007a000', u'virtual_address': u'0x00001000', u'entropy': 7.843071900680177, u'name': u'.text', u'virtual_size': u'0x000791d0'}

entropy

7.84307190068

description

A section with a high entropy has been found

entropy

0.659459459459

description

Overall entropy of this PE file is high

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 3bbd2d54be5cfd0e193930518600aaade911bead

Communicates with host for which no DNS query was performed (1 event)

host

121.254.136.18

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Oct. 2, 2023, 8:47 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Oct. 2, 2023, 8:47 a.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1508 called NtSetContextThread to modify thread in remote process 516
NtSetContextThread Oct. 2, 2023, 8:47 a.m.	registers.eip: 4231168 registers.esp: 1638384 registers.edi: 0 registers.eax: 4206209 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2005598660 thread_handle: 0x00000114 process_identifier: 516	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1508 resumed a thread in remote process 516
NtResumeThread Oct. 2, 2023, 8:47 a.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 516	1	0	0

Executed a process and injected code into it, probably while unpacking (6 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 2, 2023, 8:47 a.m.	thread_identifier: 444 thread_handle: 0x00000114 process_identifier: 516 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\redlol.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\redlol.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000011c	1	1
NtGetContextThread Oct. 2, 2023, 8:47 a.m.	thread_handle: 0x00000114	1	0
NtUnmapViewOfSection Oct. 2, 2023, 8:47 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 516 process_handle: 0x0000011c	1	0
NtMapViewOfSection Oct. 2, 2023, 8:47 a.m.	section_handle: 0x000000e0 process_identifier: 516 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x00400000 allocation_type: 0 () section_offset: 0 view_size: 57344 process_handle: 0x0000011c	1	0
NtSetContextThread Oct. 2, 2023, 8:47 a.m.	registers.eip: 4231168 registers.esp: 1638384 registers.edi: 0 registers.eax: 4206209 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2005598660 thread_handle: 0x00000114 process_identifier: 516	1	0
NtResumeThread Oct. 2, 2023, 8:47 a.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 516	1	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Mokes.4!c
tehtris	Generic.Malware
MicroWorld-eScan	Gen:Variant.Zusy.495165
FireEye	Generic.mg.f874356ddee152fc
McAfee	Artemis!F874356DDEE1
Malwarebytes	Malware.AI.4209507769
VIPRE	Gen:Variant.Zusy.495165
Sangfor	Suspicious.Win32.Save.vb
Alibaba	Backdoor:Win32/Mokes.e7d438f2
K7GW	Hacktool ( 700007861 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Zusy.D78E3D
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ETIM
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	Backdoor.Win32.Mokes.aqry
BitDefender	Gen:Variant.Zusy.495165
Avast	Win32:TrojanX-gen [Trj]
Tencent	Win32.Backdoor.Mokes.Vimw
Sophos	Mal/Generic-S
F-Secure	Backdoor.BDS/Mokes.kgzti
DrWeb	Trojan.KillProc2.21584
McAfee-GW-Edition	BehavesLike.Win32.Infected.bh
Trapmine	malicious.high.ml.score
Emsisoft	Gen:Variant.Zusy.495165 (B)
Ikarus	Backdoor.Mokes
Avira	BDS/Mokes.kgzti
Antiy-AVL	Trojan[Backdoor]/Win32.Mokes
Kingsoft	malware.kb.a.1000
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Backdoor.Win32.Mokes.aqry
GData	Gen:Variant.Zusy.495165
Google	Detected
BitDefenderTheta	Gen:NN.ZevbaF.36738.Um0@aCKTBSB
ALYac	Gen:Variant.Zusy.495165
MAX	malware (ai score=86)
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H09IU23
Rising	Trojan.Injector!1.C6AF (CLASSIC)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:TrojanX-gen [Trj]
Cybereason	malicious.90cb24
DeepInstinct	MALICIOUS

redlol.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All