Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 7, 2024, 7:53 a.m.	Feb. 7, 2024, 7:57 a.m.

Size	3.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`673ec9946966504e0d8d87cf8bf0fb15`
SHA256	`1b1c5a350db6f50dff2795a60e66326516087f686df86393b1183f26141806ee`
CRC32	`87DC71FA`
ssdeep	`98304:84uTo0ZCKFwlCNZTOoqXAx88BqcVu1pggGsgBsCESpQ3v:84e7vNZTcAyhyyWgGppqv`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature ASPack_Zero - ASPack packed file anti_vm_detect - Possibly employs anti-virtualization techniques UPX_Zero - UPX packed file DllRegisterServer_Zero - execute regsvr32.exe OS_Processor_Check_Zero - OS Processor Check

ax.exe "C:\Users\test22\AppData\Local\Temp\ax.exe"
2560
- svchost.exe "C:\Users\test22\AppData\Roaming\svchost.exe"
  2632
- xzw.exe "C:\Users\test22\AppData\Roaming\xzw.exe"
  2668

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
106.52.15.123	Active	Moloch
124.222.175.116	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 124.222.175.116:60 -> 192.168.56.101:49168	2048478	ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 7, 2024, 7:53 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 7, 2024, 7:53 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

One or more processes crashed (32 events)

Time & API	Arguments	Status
__exception__ Feb. 7, 2024, 7:53 a.m.	stacktrace: xzw+0x1139ee @ 0x5139ee xzw+0x120686 @ 0x520686 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: eb 09 40 d7 47 22 d1 1e ca 65 94 c3 e9 51 ff ff exception.symbol: xzw+0x69ce2 exception.instruction: jmp 0x469ced exception.module: xzw.exe exception.exception_code: 0x80000003 exception.offset: 433378 exception.address: 0x469ce2 registers.esp: 1638008 registers.edi: 0 registers.eax: 0 registers.ebp: 1638052 registers.edx: 582600 registers.ebx: 5 registers.esi: 6155344 registers.ecx: 6155344	1
__exception__ Feb. 7, 2024, 7:53 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 1637020 registers.edi: 1637020 registers.eax: 4579498 registers.ebp: 1637256 registers.edx: 3105522139 registers.ebx: 1573378 registers.esi: 4812901 registers.ecx: 2799400918	1
__exception__ Feb. 7, 2024, 7:53 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579394 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 694652641	1
__exception__ Feb. 7, 2024, 7:53 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579394 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 694652641	1
__exception__ Feb. 7, 2024, 7:53 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579394 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 694652641	1
__exception__ Feb. 7, 2024, 7:53 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579394 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 694652641	1
__exception__ Feb. 7, 2024, 7:53 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579394 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 694652641	1
__exception__ Feb. 7, 2024, 7:53 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579394 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 694652641	1
__exception__ Feb. 7, 2024, 7:53 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579394 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 694652641	1
__exception__ Feb. 7, 2024, 7:53 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579429 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 3157764518	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579429 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 3157764518	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579429 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 3157764518	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579429 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 3157764518	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579429 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 3157764518	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579429 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 3157764518	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579429 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 3157764518	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579429 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 3157764518	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579471 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 3140627582	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579471 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 3140627582	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579471 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 3140627582	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579471 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 3140627582	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579471 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 3140627582	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579471 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 3140627582	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579498 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 2799400918	1
__exception__ Feb. 7, 2024, 7:54 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579498 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 2799400918	1
__exception__ Feb. 7, 2024, 7:55 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579498 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 2799400918	1
__exception__ Feb. 7, 2024, 7:55 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579394 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 694652641	1
__exception__ Feb. 7, 2024, 7:55 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579394 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 694652641	1
__exception__ Feb. 7, 2024, 7:55 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579394 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 694652641	1
__exception__ Feb. 7, 2024, 7:55 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579394 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 694652641	1
__exception__ Feb. 7, 2024, 7:55 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579394 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 694652641	1
__exception__ Feb. 7, 2024, 7:55 a.m.	stacktrace: exception.instruction_r: 8b d9 0f 9c c3 66 8b da 89 4d 00 e8 ba ff ff ff exception.symbol: xzw+0x8ac94 exception.instruction: mov ebx, ecx exception.module: xzw.exe exception.exception_code: 0x80000004 exception.offset: 568468 exception.address: 0x48ac94 registers.esp: 39320396 registers.edi: 39320396 registers.eax: 4579394 registers.ebp: 39320632 registers.edx: 3105522139 registers.ebx: 39256582 registers.esi: 4812901 registers.ecx: 694652641	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 5274 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 335872 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140001000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140050000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140050000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 196608 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140001000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 196608 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140001000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 28672 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140041000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 28672 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140041000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 299008 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140174000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140031000 process_handle: 0xffffffffffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (2 events)

description	xzw.exe tried to sleep 170 seconds, actually delayed analysis time by 170 seconds
description	svchost.exe tried to sleep 402 seconds, actually delayed analysis time by 402 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Feb. 7, 2024, 7:53 a.m.	total_number_of_free_bytes: 13317644288 free_bytes_available: 13317644288 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW Feb. 7, 2024, 7:53 a.m.	total_number_of_free_bytes: 13317574656 free_bytes_available: 13317574656 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (50 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b8cc8

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b8cc8

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b8cc8

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b91b8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b91b8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b91b8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b91b8

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba8c0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba8c0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba8c0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba8c0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba8c0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba8c0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba8c0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba8c0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba8c0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba8c0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba8c0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba8c0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba8c0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba8c0

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d825c

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d825c

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d94a4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d94a4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d94a4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d94a4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d94a4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d94a4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d94a4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d94a4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d94a4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d94a4

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9eec

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9eec

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9eec

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9eec

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9eec

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9eec

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9eec

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9eec

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9eec

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9eec

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9eec

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9f38

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9f38

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9f38

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9f88

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9f88

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d9f88

size

0x00000014

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\svchost.exe
file	C:\Program Files\Windows NT\system.exe
file	C:\Users\test22\AppData\Roaming\xzw.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Feb. 7, 2024, 7:53 a.m.	service_start_name: start_type: 2 password: display_name: Muqimo aywaawee filepath: C:\Program Files (x86)\Suaeweq.exe service_name: Rsgsyq kiscaaok filepath_r: C:\Program Files (x86)\Suaeweq.exe desired_access: 983551 service_handle: 0x00610460 error_control: 1 service_type: 272 service_manager_handle: 0x00614c40	1	6358112	0

Creates a suspicious process (2 events)

cmdline	C:\Users\test22\AppData\Roaming\svchost.exe
cmdline	"C:\Users\test22\AppData\Roaming\svchost.exe"

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Roaming\svchost.exe
file	C:\Users\test22\AppData\Roaming\xzw.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\xzw.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: mobsync.exe process_identifier: 2280	1	1
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: svchost.exe process_identifier: 2632	1	1
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: xzw.exe process_identifier: 2668	1	1
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812	1	1
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 2932	1	1
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 7, 2024, 7:53 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 45056 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 116 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002e8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000000000002f8 process_name: Suaeweq.exe process_identifier: 2812		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0	0
Process32NextW Feb. 7, 2024, 7:53 a.m.	snapshot_handle: 0x00000414 process_name: Suaeweq.exe process_identifier: 6619233		0	0

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Feb. 7, 2024, 7:53 a.m.	thread_identifier: 2636 thread_handle: 0x000002d0 process_identifier: 2632 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\svchost.exe" filepath_r: C:\Users\test22\AppData\Roaming\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d8	1	1	0
ShellExecuteExW Feb. 7, 2024, 7:53 a.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Roaming\\svchost.exe parameters: filepath: C:\Users\test22\AppData\Roaming\svchost.exe	1	1	0