Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 28, 2023, 9:57 a.m.	Nov. 28, 2023, 9:57 a.m.

Size	1.3MB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`4e88cb52fa6c33f10aeeac975b2e4cd4`
SHA256	`ba4445419d534dd16aa0e5af096d451b81638173c80686d5aa8816b780514396`
CRC32	`EB4A7F59`
ssdeep	`24576:ZcOeh7E7IJbtEJEHng8wGrQTLq73xaH7pbHl6GV:ZcOWFJbtSMXoTLq73xK51`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature IsDLL - (no description) UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,GetCrashKeyCountImpl
3036
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,IsSandboxedProcess
2220
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,GetHandleVerifier
1784
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,RelaunchChromeBrowserWithNewCommandLineIfNeeded
2424
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_add_cross_origin_whitelist_entry
1596
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_api_hash
1728
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_base64decode
2564
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_base64encode
2820
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_begin_tracing
2932
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_binary_value_create
2188
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_browser_host_create_browser
2380
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_browser_host_create_browser_sync
1196
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_browser_view_create
2124
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_browser_view_get_for_browser
2332
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_clear_cross_origin_whitelist
2996
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_clear_scheme_handler_factories
2336
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_command_line_create
2844
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_command_line_get_global
2576
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_cookie_manager_create_manager
2016
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_cookie_manager_get_global_manager
2524
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_crash_reporting_enabled
2568
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_create_context_shared
1188
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_create_directory
756
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_create_new_temp_directory
236
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_create_temp_directory_in_directory
2772
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_create_url
3108
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_currently_on
3196
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_delete_file
3292
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_dictionary_value_create
3388
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_directory_exists
3484
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_display_get_alls
3584
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_display_get_count
3680
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_display_get_matching_bounds
3772
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_display_get_nearest_point
3864
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_display_get_primary
3968
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_do_message_loop_work
4060
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_drag_data_create
3192
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_enable_highdpi_support
3312
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_end_tracing
3456
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_execute_java_script_with_user_gesture_for_tests
3628
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_execute_process
3764
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_format_url_for_security_display
3908
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_get_current_platform_thread_handle
4040
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_get_current_platform_thread_id
3288
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_get_extensions_for_mime_type
3472
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_get_geolocation
3732
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_get_mime_type
3956
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_get_min_log_level
3240
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_get_path
3640
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_get_temp_directory
3104
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_get_vlog_level
3536
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_image_create
3264
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_initialize
3928
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_is_cert_status_error
3128
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_is_cert_status_minor_error
4168
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_is_web_plugin_unstable
4264
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_label_button_create
4364
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_launch_process
4460
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_list_value_create
4552
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_load_crlsets_file
4644
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_log
4748
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_menu_button_create
4840
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_menu_model_create
4940
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_now_from_system_trace_time
5036
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_panel_create
3416
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_parse_json
4256
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_parse_jsonand_return_error
4396
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_parse_url
4532
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_post_data_create
4720
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_post_data_element_create
4600
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\ndldll.txt.exe.dll,cef_post_delayed_task
4572

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
8.217.212.78	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 28, 2023, 9:57 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (50 out of 70 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:57 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 28, 2023, 9:57 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.xx - v2.xx

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (50 out of 727 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74120000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74031000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74032000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74120000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74031000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74032000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ce3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74120000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74031000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74032000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ce3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74120000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74031000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74032000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 2424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ce3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74120000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74031000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74032000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Nov. 28, 2023, 9:57 a.m.	total_number_of_free_bytes: 9118674944 free_bytes_available: 9118674944 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (25 events)

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 45 x 45, 8-bit/color RGB, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0013bb6c

size

0x00000356

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 45 x 45, 8-bit/color RGB, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0013bb6c

size

0x00000356

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 45 x 45, 8-bit/color RGB, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0013bb6c

size

0x00000356

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 45 x 45, 8-bit/color RGB, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0013bb6c

size

0x00000356

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 45 x 45, 8-bit/color RGB, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0013bb6c

size

0x00000356

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 45 x 45, 8-bit/color RGB, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0013bb6c

size

0x00000356

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014bc20

size

0x00000040

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014ce3c

size

0x00000122

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014ce3c

size

0x00000122

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014ce3c

size

0x00000122

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0014d0d0

size

0x000002c4

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 59 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: smss.exe process_identifier: 228	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: services.exe process_identifier: 444	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 584	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 656	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 740	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 796	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: audiodg.exe process_identifier: 916	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 1000	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 352	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: spoolsv.exe process_identifier: 1036	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 1080	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: dwm.exe process_identifier: 1208	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: taskhost.exe process_identifier: 1352	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 1432	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: IMEDICTUPDATE.EXE process_identifier: 1492	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: svchost.exe process_identifier: 1908	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: pw.exe process_identifier: 1200	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: SearchIndexer.exe process_identifier: 736	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: SearchProtocolHost.exe process_identifier: 1364	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: SearchFilterHost.exe process_identifier: 2064	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: tvnserver.exe process_identifier: 2580	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: tvnserver.exe process_identifier: 2664	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: pw.exe process_identifier: 2692	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: sdclt.exe process_identifier: 2776	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: taskhost.exe process_identifier: 2868	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: cmd.exe process_identifier: 2964	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: conhost.exe process_identifier: 2972	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 3036	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: pw.exe process_identifier: 3052	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 1784	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 2220	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 2424	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 1596	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 1728	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 2564	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 2820	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 2932	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 2188	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 2380	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 1196	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 2124	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 2332	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 2996	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 2336	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 2844	1	1
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x00000130 process_name: rundll32.exe process_identifier: 2576	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 28, 2023, 9:57 a.m.	process_identifier: 1728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 589824 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02171000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0012f000', u'virtual_address': u'0x00007000', u'entropy': 7.262314296413721, u'name': u'.data', u'virtual_size': u'0x0012e1e0'}

entropy

7.26231429641

description

A section with a high entropy has been found

entropy

0.90447761194

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (33 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0
Process32NextW Nov. 28, 2023, 9:57 a.m.	snapshot_handle: 0x000002ac process_name: inject-x86.exe process_identifier: 1568		0	0

Communicates with host for which no DNS query was performed (1 event)

host

8.217.212.78

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Bkav	W32.AIDetectMalware
MicroWorld-eScan	Gen:Variant.Mikey.160276
Skyhigh	Artemis!Trojan
McAfee	Artemis!4E88CB52FA6C
Zillya	Trojan.Kryptik.Win32.4350337
K7AntiVirus	Trojan ( 005ac13a1 )
K7GW	Trojan ( 005ac13a1 )
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Kryptik.HUUR
ClamAV	Win.Trojan.Ulise-9645830-0
Kaspersky	HEUR:Trojan.Win32.Kryptik.gen
BitDefender	Gen:Variant.Mikey.160276
Avast	Win32:Malware-gen
Tencent	Malware.Win32.Gencirc.10bf3c85
Emsisoft	Gen:Variant.Mikey.160276 (B)
F-Secure	Trojan.TR/AD.Farfli.zuzfc
VIPRE	Gen:Variant.Mikey.160276
FireEye	Gen:Variant.Mikey.160276
MAX	malware (ai score=85)
Jiangmin	Trojan.Kryptik.tau
Google	Detected
Avira	TR/AD.Farfli.zuzfc
Antiy-AVL	Trojan/Win32.Kryptik
Kingsoft	Win32.Trojan.Kryptik.gen
Arcabit	Trojan.Mikey.D27214
ZoneAlarm	HEUR:Trojan.Win32.Kryptik.gen
GData	Gen:Variant.Mikey.160276
Cynet	Malicious (score: 99)
ALYac	Gen:Variant.Mikey.160276
Malwarebytes	Malware.AI.3248958616
Rising	Trojan.Kryptik!8.8 (TFE:6:Ka9wDGtJXTM)
Ikarus	Trojan.Win32.Crypt
BitDefenderTheta	Gen:NN.ZedlaF.36608.wv@@aKfWbSdj
AVG	Win32:Malware-gen
DeepInstinct	MALICIOUS

ndldll.txt.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All