Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 11, 2024, 1:16 p.m.	July 11, 2024, 1:30 p.m.

Size	4.5MB
Type	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`80f0d5b317e64595f1faaf57bee5587b`
SHA256	`6fd1b1c8e7b60935b648ffa6be50b3ce3b1144bd2d3e3d514ab86fa51e732bf3`
CRC32	`4D3EDC80`
ssdeep	`49152:Aiw2EoWjSZXPb91f+kK2MiwtvLKzzFodCuo1F3JfRQd50bv2mqdC/L0B1A0vCexi:Aiw4WSXPbGKzzF/uotS/4SsZ`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsDLL - (no description) IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,GetFileVersionInfoByHandle
2164
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,GetFileVersionInfoExA
2248
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,GetFileVersionInfoA
1372
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,GetFileVersionInfoExW
2344
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,GetFileVersionInfoSizeA
2452
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,GetFileVersionInfoSizeExA
2552
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,GetFileVersionInfoSizeExW
2736
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,GetFileVersionInfoSizeW
2828
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,GetFileVersionInfoW
2936
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,VerFindFileA
3036
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,VerFindFileW
2184
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,VerInstallFileA
2448
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,VerInstallFileW
2540
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,VerLanguageNameA
2668
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,VerLanguageNameW
2848
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,VerQueryValueA
2952
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,VerQueryValueW
1076
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\version.dll,
2360

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (17 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:16 p.m.			0	0

One or more processes crashed (8 events)

Time & API	Arguments	Status
__exception__ July 11, 2024, 1:16 p.m.	stacktrace: New_version_GetFileVersionInfoSizeExW@12+0x40 New_version_GetFileVersionInfoSizeW@8-0xa9 @ 0x745488b8 GetFileVersionInfoSizeW+0x12 GetFileVersionInfoW-0x9 version+0x19eb @ 0x747319eb New_version_GetFileVersionInfoSizeW@8+0x74 New_version_GetFileVersionInfoW@16-0x60 @ 0x745489d5 GetFileVersionInfoSizeA+0x39 GetFileVersionInfoA-0x18 version+0x1cd5 @ 0x74731cd5 rundll32+0x137d @ 0xbd137d rundll32+0x1326 @ 0xbd1326 rundll32+0x1901 @ 0xbd1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 89 18 6a 01 8b 35 74 10 73 74 ff d6 89 45 10 6a exception.symbol: GetFileVersionInfoSizeExW+0x15 GetFileVersionInfoSizeW-0xdb version+0x18fe exception.instruction: mov dword ptr [eax], ebx exception.module: VERSION.dll exception.exception_code: 0xc0000005 exception.offset: 6398 exception.address: 0x747318fe registers.esp: 2095460 registers.edi: 0 registers.eax: 12386304 registers.ebp: 2095508 registers.edx: 1 registers.ebx: 0 registers.esi: 131426 registers.ecx: 2005722981	1
__exception__ July 11, 2024, 1:16 p.m.	stacktrace: New_version_GetFileVersionInfoSizeExW@12+0x40 New_version_GetFileVersionInfoSizeW@8-0xa9 @ 0x745488b8 GetFileVersionInfoSizeW+0x12 GetFileVersionInfoW-0x9 version+0x19eb @ 0x747319eb New_version_GetFileVersionInfoSizeW@8+0x74 New_version_GetFileVersionInfoW@16-0x60 @ 0x745489d5 rundll32+0x137d @ 0xbd137d rundll32+0x1326 @ 0xbd1326 rundll32+0x1901 @ 0xbd1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 89 18 6a 01 8b 35 74 10 73 74 ff d6 89 45 10 6a exception.symbol: GetFileVersionInfoSizeExW+0x15 GetFileVersionInfoSizeW-0xdb version+0x18fe exception.instruction: mov dword ptr [eax], ebx exception.module: VERSION.dll exception.exception_code: 0xc0000005 exception.offset: 6398 exception.address: 0x747318fe registers.esp: 1571284 registers.edi: 0 registers.eax: 12386304 registers.ebp: 1571332 registers.edx: 1 registers.ebx: 0 registers.esi: 328034 registers.ecx: 1611244550	1
__exception__ July 11, 2024, 1:16 p.m.	stacktrace: rundll32+0x137d @ 0xbd137d rundll32+0x1326 @ 0xbd1326 rundll32+0x1901 @ 0xbd1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 00 53 56 57 33 ff 47 89 45 fc 85 c0 75 03 89 exception.symbol: VerFindFileA+0xb VerInstallFileA-0x1cf version+0x2994 exception.instruction: mov eax, dword ptr [eax] exception.module: VERSION.dll exception.exception_code: 0xc0000005 exception.offset: 10644 exception.address: 0x74732994 registers.esp: 653128 registers.edi: 0 registers.eax: 0 registers.ebp: 653172 registers.edx: 0 registers.ebx: 0 registers.esi: 393570 registers.ecx: 0	1
__exception__ July 11, 2024, 1:16 p.m.	stacktrace: VerFindFileW+0xed VerInstallFileW-0x31e version+0x3e9f @ 0x74733e9f rundll32+0x137d @ 0xbd137d rundll32+0x1326 @ 0xbd1326 rundll32+0x1901 @ 0xbd1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 66 8b 08 40 40 66 85 c9 75 f6 8b 8d e4 fd ff ff exception.symbol: VerInstallFileA+0x1163 VerFindFileW-0xec version+0x3cc6 exception.instruction: mov cx, word ptr [eax] exception.module: VERSION.dll exception.exception_code: 0xc0000005 exception.offset: 15558 exception.address: 0x74733cc6 registers.esp: 1569596 registers.edi: 261 registers.eax: 1 registers.ebp: 1570152 registers.edx: 3 registers.ebx: 12386304 registers.esi: 1 registers.ecx: 1570192	1
__exception__ July 11, 2024, 1:16 p.m.	stacktrace: rundll32+0x137d @ 0xbd137d rundll32+0x1326 @ 0xbd1326 rundll32+0x1901 @ 0xbd1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 00 53 33 db 56 43 57 89 45 fc 85 c0 75 03 89 exception.symbol: VerInstallFileA+0xb VerFindFileW-0x1244 version+0x2b6e exception.instruction: mov eax, dword ptr [eax] exception.module: VERSION.dll exception.exception_code: 0xc0000005 exception.offset: 11118 exception.address: 0x74732b6e registers.esp: 1570660 registers.edi: 0 registers.eax: 0 registers.ebp: 1570720 registers.edx: 0 registers.ebx: 0 registers.esi: 393256 registers.ecx: 0	1
__exception__ July 11, 2024, 1:16 p.m.	stacktrace: VerLanguageNameW+0xbf VerLanguageNameA-0x20 kernelbase+0x235fa @ 0x755b35fa rundll32+0x137d @ 0xbd137d rundll32+0x1326 @ 0xbd1326 rundll32+0x1901 @ 0xbd1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 66 89 08 40 40 4e 75 e8 85 f6 75 07 48 48 bb 7a exception.symbol: GetCurrentDirectoryA+0x493 GetShortPathNameW-0xbb kernelbase+0x1a5fe exception.instruction: mov word ptr [eax], cx exception.module: KERNELBASE.dll exception.exception_code: 0xc0000005 exception.offset: 108030 exception.address: 0x755aa5fe registers.esp: 2160712 registers.edi: 4292173295 registers.eax: 12386304 registers.ebp: 2160724 registers.edx: 4284741756 registers.ebx: 0 registers.esi: 2794006 registers.ecx: 84	1
__exception__ July 11, 2024, 1:16 p.m.	stacktrace: VerQueryValueA+0x18 GetFileVersionInfoSizeA-0x112 version+0x1b8a @ 0x74731b8a rundll32+0x137d @ 0xbd137d rundll32+0x1326 @ 0xbd1326 rundll32+0x1901 @ 0xbd1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 83 21 00 0f b7 43 04 ba 56 53 00 00 66 3b c2 0f exception.symbol: VerLanguageNameW+0x32 GetFileVersionInfoSizeExW-0x312 version+0x15d7 exception.instruction: and dword ptr [ecx], 0 exception.module: VERSION.dll exception.exception_code: 0xc0000005 exception.offset: 5591 exception.address: 0x747315d7 registers.esp: 2358324 registers.edi: 0 registers.eax: 1953700722 registers.ebp: 2358352 registers.edx: 1968836992 registers.ebx: 655400 registers.esi: 655400 registers.ecx: 1	1
__exception__ July 11, 2024, 1:16 p.m.	stacktrace: VerQueryValueW+0x18 VerQueryValueA-0x9 version+0x1b69 @ 0x74731b69 rundll32+0x137d @ 0xbd137d rundll32+0x1326 @ 0xbd1326 rundll32+0x1901 @ 0xbd1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 83 21 00 0f b7 43 04 ba 56 53 00 00 66 3b c2 0f exception.symbol: VerLanguageNameW+0x32 GetFileVersionInfoSizeExW-0x312 version+0x15d7 exception.instruction: and dword ptr [ecx], 0 exception.module: VERSION.dll exception.exception_code: 0xc0000005 exception.offset: 5591 exception.address: 0x747315d7 registers.esp: 2291468 registers.edi: 0 registers.eax: 1953700689 registers.ebp: 2291496 registers.edx: 162 registers.ebx: 720936 registers.esi: 720936 registers.ecx: 1	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 119 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7355f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7355f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74411000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7355f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7355f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74411000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7355f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74411000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7355f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74430000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7355f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7355f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74430000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 1:16 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Rising	Trojan.Generic@AI.77 (RDMK:cmRtazolOkQUuT0n0oFAwkOD6aAa)
McAfeeD	ti!6FD1B1C8E7B6
Ikarus	Trojan.Cometer
Google	Detected
DeepInstinct	MALICIOUS

Appends a known multi-family ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Local\Temp\.p.lock

Detects the presence of Wine emulator (13 events)

Time & API	Arguments	Return
LdrGetProcedureAddress July 11, 2024, 1:16 p.m.	ordinal: 0 function_address: 0x0098fad9 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress July 11, 2024, 1:16 p.m.	ordinal: 0 function_address: 0x0037f739 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress July 11, 2024, 1:16 p.m.	ordinal: 0 function_address: 0x00aefce9 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress July 11, 2024, 1:16 p.m.	ordinal: 0 function_address: 0x00a6f909 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress July 11, 2024, 1:16 p.m.	ordinal: 0 function_address: 0x009ff8f9 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress July 11, 2024, 1:16 p.m.	ordinal: 0 function_address: 0x0096f819 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress July 11, 2024, 1:16 p.m.	ordinal: 0 function_address: 0x009af869 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress July 11, 2024, 1:16 p.m.	ordinal: 0 function_address: 0x0095f609 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress July 11, 2024, 1:16 p.m.	ordinal: 0 function_address: 0x003cf9c9 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress July 11, 2024, 1:16 p.m.	ordinal: 0 function_address: 0x0093f5f9 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress July 11, 2024, 1:16 p.m.	ordinal: 0 function_address: 0x00a1f789 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress July 11, 2024, 1:16 p.m.	ordinal: 0 function_address: 0x009efa29 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785
LdrGetProcedureAddress July 11, 2024, 1:16 p.m.	ordinal: 0 function_address: 0x003df8c9 function_name: wine_get_version module: ntdll module_address: 0x778a0000	3221225785

version.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All