Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 22, 2024, 3:31 p.m.	Nov. 22, 2024, 3:42 p.m.

Size	27.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5	`e516566b25ae853edd6aad00854d782a`
SHA256	`9cb2b6cafc2c6ec61d2f997789e7a923d71b8663f57a531820d958971f8a8e84`
CRC32	`FE06FB16`
ssdeep	`393216:aT903qKSVL/D0mOWBLGZz1cVeN1zSuCK+RO4b61B2YpLlsmb2wIoV1Keejdnd:ah0OVL/rBLGp1JdCr6zRlsm1IoV1G9d`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe "C:\Users\test22\AppData\Local\Temp\%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe"
2100
- %E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe "C:\Users\test22\AppData\Local\Temp\%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe"
  2584
  - %E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe "C:\Users\test22\AppData\Local\Temp\%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe"
    2668
    - %E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe "C:\Users\test22\AppData\Local\Temp\%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe"
      2780

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 22, 2024, 3:31 p.m.	computer_name: TEST22-PC	1	1	0

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\data
file	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\data

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 22, 2024, 3:31 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

PECompact 2.xx --> BitSum Technologies

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

MYRES

One or more processes crashed (46 events)

Time & API	Arguments	Status
__exception__ Nov. 22, 2024, 3:31 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 40 df 63 exception.symbol: %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x3428a6 exception.instruction: mov dword ptr [eax], ecx exception.module: %E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe exception.exception_code: 0xc0000005 exception.offset: 3418278 exception.address: 0x7428a6 registers.esp: 1638276 registers.edi: 0 registers.eax: 0 registers.ebp: 1638292 registers.edx: 7612560 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:31 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x5e New_user32_RegisterHotKey@16-0x159 @ 0x743c76de MessageBoxTimeoutA+0x76 MessageBoxIndirectA-0x33 user32+0x6fb9e @ 0x7564fb9e New_user32_MessageBoxTimeoutA@24+0x137 New_user32_MessageBoxTimeoutW@24-0x80 @ 0x743c7600 MessageBoxExA+0x1b MessageBoxExW-0x9 user32+0x6fcf1 @ 0x7564fcf1 MessageBoxA+0x18 MessageBoxW-0x9 user32+0x6fd36 @ 0x7564fd36 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x1bda @ 0x401bda %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x1c48 @ 0x401c48 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x1d89 @ 0x401d89 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x39f184 @ 0x79f184 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x39f08a @ 0x79f08a %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x3429f2 @ 0x7429f2 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x34289f @ 0x74289f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x74233f46 registers.esp: 1636240 registers.edi: 0 registers.eax: 1948467014 registers.ebp: 1636280 registers.edx: 0 registers.ebx: 0 registers.esi: 1948467014 registers.ecx: 55446888	1
__exception__ Nov. 22, 2024, 3:31 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x5e New_user32_RegisterHotKey@16-0x159 @ 0x743c76de MessageBoxTimeoutA+0x76 MessageBoxIndirectA-0x33 user32+0x6fb9e @ 0x7564fb9e New_user32_MessageBoxTimeoutA@24+0x137 New_user32_MessageBoxTimeoutW@24-0x80 @ 0x743c7600 MessageBoxExA+0x1b MessageBoxExW-0x9 user32+0x6fcf1 @ 0x7564fcf1 MessageBoxA+0x18 MessageBoxW-0x9 user32+0x6fd36 @ 0x7564fd36 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x1bda @ 0x401bda %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x1c48 @ 0x401c48 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x1d89 @ 0x401d89 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x39f184 @ 0x79f184 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x39f08a @ 0x79f08a %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x3429f2 @ 0x7429f2 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x34289f @ 0x74289f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x74233f46 registers.esp: 1636240 registers.edi: 0 registers.eax: 1948467014 registers.ebp: 1636280 registers.edx: 0 registers.ebx: 0 registers.esi: 1948467014 registers.ecx: 55446888	1
__exception__ Nov. 22, 2024, 3:31 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x1a84 @ 0x401a84 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x1c7d @ 0x401c7d %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x1d89 @ 0x401d89 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x39f184 @ 0x79f184 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x39f08a @ 0x79f08a %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x3429f2 @ 0x7429f2 %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x34289f @ 0x74289f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x750d3ef4 registers.esp: 1637128 registers.edi: 0 registers.eax: 55964312 registers.ebp: 1637156 registers.edx: 1 registers.ebx: 0 registers.esi: 53135224 registers.ecx: 1948333436	1
__exception__ Nov. 22, 2024, 3:31 p.m.	stacktrace: fnAllFunctionDLL1+0x188857 @ 0x326c4b2 0x1e0021 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c7 45 fc fe ff ff ff eb 52 b8 01 00 00 00 c3 8b exception.instruction: mov dword ptr [ebp + 0xfffffffc], 0xfffffffe exception.exception_code: 0x80000004 exception.symbol: fnAllFunctionDLL1+0x3a382 exception.address: 0x311dfdd registers.esp: 1630688 registers.edi: 1630684 registers.eax: 92930568 registers.ebp: 1632308 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1630688 registers.ecx: 1855615848	1
__exception__ Nov. 22, 2024, 3:31 p.m.	stacktrace: fnAllFunctionDLL1+0x188857 @ 0x326c4b2 0x1e0021 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c6 00 00 c7 45 fc fe ff ff ff eb 52 b8 01 00 00 exception.instruction: mov byte ptr [eax], 0 exception.exception_code: 0xc0000005 exception.symbol: fnAllFunctionDLL1+0x3a3e6 exception.address: 0x311e041 registers.esp: 1630688 registers.edi: 0 registers.eax: 0 registers.ebp: 1632308 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1630688 registers.ecx: 2588	1
__exception__ Nov. 22, 2024, 3:31 p.m.	stacktrace: fnAllFunctionDLL1+0x1b24f0 @ 0x329614b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c7 45 fc fe ff ff ff eb 52 b8 01 00 00 00 c3 8b exception.instruction: mov dword ptr [ebp + 0xfffffffc], 0xfffffffe exception.exception_code: 0x80000004 exception.symbol: fnAllFunctionDLL1+0x3a382 exception.address: 0x311dfdd registers.esp: 157348456 registers.edi: 157348452 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 0 registers.ebx: 0 registers.esi: 157348456 registers.ecx: 1855615848	1
__exception__ Nov. 22, 2024, 3:31 p.m.	stacktrace: fnAllFunctionDLL1+0x1b24f0 @ 0x329614b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c6 00 00 c7 45 fc fe ff ff ff eb 52 b8 01 00 00 exception.instruction: mov byte ptr [eax], 0 exception.exception_code: 0xc0000005 exception.symbol: fnAllFunctionDLL1+0x3a3e6 exception.address: 0x311e041 registers.esp: 157348456 registers.edi: 0 registers.eax: 0 registers.ebp: 157350076 registers.edx: 2130328564 registers.ebx: 0 registers.esi: 157348456 registers.ecx: 2748	1
__exception__ Nov. 22, 2024, 3:31 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9764484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:31 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9769484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:31 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9769484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9774484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9774484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9779484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9779484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9784484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9784484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9789484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9789484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9794484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9794484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9799484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9799484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9804484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9804484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9809484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9809484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9814484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9814484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9819484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9819484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9824484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9824484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9829484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:32 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9829484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:33 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9834484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:33 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9834484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:33 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9839484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:33 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9839484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:33 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9844484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:33 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9844484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:33 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9849484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:33 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9849484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:33 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x5af0002 registers.esp: 157349808 registers.edi: 157350052 registers.eax: 95355400 registers.ebp: 157350076 registers.edx: 9854484 registers.ebx: 0 registers.esi: 157350092 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:33 p.m.	stacktrace: exception.instruction_r: c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 c3 exception.instruction: ret exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x87e0002 registers.esp: 158660528 registers.edi: 158660772 registers.eax: 142475784 registers.ebp: 158660796 registers.edx: 9854484 registers.ebx: 0 registers.esi: 158660812 registers.ecx: 0	1
__exception__ Nov. 22, 2024, 3:31 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 40 df 63 exception.symbol: %e5%b7%85%e3%82%bd%e5%b3%b0[%e9%95%bf%e4%b9%85]3+0x3428a6 exception.instruction: mov dword ptr [eax], ecx exception.module: %E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe exception.exception_code: 0xc0000005 exception.offset: 3418278 exception.address: 0x7428a6 registers.esp: 1638276 registers.edi: 0 registers.eax: 0 registers.ebp: 1638292 registers.edx: 7612560 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 90 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 11685888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 11829248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 11829248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 266240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1001f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10069000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1006d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 606208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1006f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10103000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 10756096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10106000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 4681728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 4681728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07240000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 11681792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x076c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 3125248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x081f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 454656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 3219456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 3219456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x084f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 3219456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x084f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x084f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 1064960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x084f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x085f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08629000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0863e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08641000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 1396736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08798000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 397312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x087a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2100 region_size: 3219456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 29077504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x058f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x087e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1200128 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00526000 process_handle: 0xffffffff	1	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe tried to sleep 347 seconds, actually delayed analysis time by 347 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Nov. 22, 2024, 3:32 p.m.	total_number_of_free_bytes: 9902067712 free_bytes_available: 9902067712 root_path: C: total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (50 out of 57 events)

name

MYRES

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x021a2938

size

0x00b24200

name

MYRES

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x021a2938

size

0x00b24200

name

MYRES

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x021a2938

size

0x00b24200

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7d00

size

0x00000134

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7ef0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc7ef0

size

0x00000144

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4283048478, next used block 4286731813

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02ccdbd8

size

0x000025a8

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8348

size

0x00000034

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8348

size

0x00000034

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8348

size

0x00000034

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8348

size

0x00000034

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8ce0

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8ce0

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8ce0

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8ce0

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8ce0

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8ce0

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8ce0

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8ce0

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8ce0

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8ce0

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8ce0

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8ce0

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8ce0

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8ce0

size

0x000001a6

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8fe8

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8fe8

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8fe8

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8fe8

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8fe8

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8fe8

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8fe8

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8fe8

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8fe8

size

0x00000014

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x02cc8fe8

size

0x00000014

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x01bb2800', u'virtual_address': u'0x00001000', u'entropy': 7.9999941981123515, u'name': u'.text', u'virtual_size': u'0x02ccc000'}

entropy

7.99999419811

description

A section with a high entropy has been found

entropy

0.998960956624

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://purl.org/dc/elements/1.1/
url	http://ns.adobe.com/xap/1.0/

Yara rule detected in process memory (44 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Communications over HTTP	rule	Network_HTTP
description	Communications over SSL	rule	Network_SSL
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Communications over HTTP	rule	Network_HTTP
description	Communications over SSL	rule	Network_SSL
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Run a KeyLogger	rule	KeyLogger

One or more of the buffers contains an embedded PE file (4 events)

buffer	Buffer with sha1: be2cf79c6208269fc726b2536e6d2ce8d5c32e3a
buffer	Buffer with sha1: cd650ed50764cb4447cb7a6062ca7b9fa95f993b
buffer	Buffer with sha1: bff38ad8edd0a5b907314f16f216dab094ba6e97
buffer	Buffer with sha1: 702ecf0d56d603d6598147a7551b331333e79c61

Allocates execute permission to another process indicative of possible code injection (12 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0x000001c0	1	0
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 47009792 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0x000001c0	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 3219456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000001c0		3221225496
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 3219456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x030e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000001c0	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000001c0	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 8253440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000001c0	1	0
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0x0000010c	1	0
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 47009792 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0x0000010c	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2780 region_size: 3219456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000010c		3221225496
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2780 region_size: 3219456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x030e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000010c	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000010c	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2780 region_size: 8253440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000010c	1	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Potential code injection by writing to the memory of another process (20 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: M base_address: 0x00400000 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: Z base_address: 0x00400001 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: ¨/@aGâ base_address: 0x03400000 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: Úßè3ò base_address: 0x03b70964 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: (t base_address: 0x03b70969 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: 4846e7202b9b4e09dp-0bb6cc3f base_address: 0x03b7096d process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: 1 base_address: 0x03b7098c process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe base_address: 0x03b7098d process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: Uì`jjh¸_8ÿÐh@¸[<ÿÐaå]éÛþ; base_address: 0x001e0000 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: ék×©ÿ base_address: 0x00742890 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: M base_address: 0x00400000 process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: Z base_address: 0x00400001 process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: ¨/@aGâ base_address: 0x03400000 process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: Úßè3ò base_address: 0x03b70964 process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: (t base_address: 0x03b70969 process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: 4846e7202b9b4e09dp-0bb6cc3f base_address: 0x03b7096d process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: 1 base_address: 0x03b7098c process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe base_address: 0x03b7098d process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: Uì`jjh¸_8ÿÐh@¸[<ÿÐaå]éÛþ; base_address: 0x001e0000 process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: ék×©ÿ base_address: 0x00742890 process_identifier: 2780 process_handle: 0x0000010c	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2100 resumed a thread in remote process 2584
Process injection	Process 2584 resumed a thread in remote process 2668
Process injection	Process 2668 resumed a thread in remote process 2780
NtResumeThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x000001b8 suspend_count: 1 process_identifier: 2584	1	0	0
NtResumeThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 2668	1	0	0
NtResumeThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2780	1	0	0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Nov. 22, 2024, 3:31 p.m.	ordinal: 0 function_address: 0x004865d0 function_name: wine_get_version module: ntdll module_address: 0x778a0000		3221225785	0

Executed a process and injected code into it, probably while unpacking (50 out of 56 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x00000174 suspend_count: 1 process_identifier: 2100	1	0
CreateProcessInternalW Nov. 22, 2024, 3:31 p.m.	thread_identifier: 2588 thread_handle: 0x000001b8 process_identifier: 2584 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001c0	1	1
NtGetContextThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x000001b8	1	0
NtGetContextThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x000001b8	1	0
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: base_address: 0x00400000 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: M base_address: 0x00400000 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: Z base_address: 0x00400001 process_identifier: 2584 process_handle: 0x000001c0	1	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 3219456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000001c0		3221225496
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 3219456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x030e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000001c0	1	0
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: base_address: 0x030e0000 process_identifier: 2584 process_handle: 0x000001c0	1	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000001c0	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2584 region_size: 8253440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x000001c0	1	0
NtGetContextThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x000001b8	1	0
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: ¨/@aGâ base_address: 0x03400000 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: base_address: 0x03400024 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: base_address: 0x036fa824 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: Úßè3ò base_address: 0x03b70964 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: (t base_address: 0x03b70969 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: 4846e7202b9b4e09dp-0bb6cc3f base_address: 0x03b7096d process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: 1 base_address: 0x03b7098c process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe base_address: 0x03b7098d process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: base_address: 0x03b70d8d process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: Uì`jjh¸_8ÿÐh@¸[<ÿÐaå]éÛþ; base_address: 0x001e0000 process_identifier: 2584 process_handle: 0x000001c0	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: ék×©ÿ base_address: 0x00742890 process_identifier: 2584 process_handle: 0x000001c0	1	1
NtResumeThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x000001b8 suspend_count: 1 process_identifier: 2584	1	0
NtResumeThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2584	1	0
CreateProcessInternalW Nov. 22, 2024, 3:31 p.m.	thread_identifier: 2672 thread_handle: 0x000002b8 process_identifier: 2668 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtResumeThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 2668	1	0
NtSetContextThread Nov. 22, 2024, 3:31 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 0 registers.ebp: 0 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0xfffffffe process_identifier: 2584	1	0
NtSetContextThread Nov. 22, 2024, 3:31 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 0 registers.ebp: 0 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0xfffffffe process_identifier: 2584	1	0
NtSetContextThread Nov. 22, 2024, 3:31 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 0 registers.ebp: 0 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0xfffffffe process_identifier: 2584	1	0
NtResumeThread Nov. 22, 2024, 3:32 p.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 2584	1	0
CreateProcessInternalW Nov. 22, 2024, 3:31 p.m.	thread_identifier: 2784 thread_handle: 0x00000108 process_identifier: 2780 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000010c	1	1
NtGetContextThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x00000108	1	0
NtGetContextThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x00000108	1	0
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: base_address: 0x00400000 process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: M base_address: 0x00400000 process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: Z base_address: 0x00400001 process_identifier: 2780 process_handle: 0x0000010c	1	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2780 region_size: 3219456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000010c		3221225496
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2780 region_size: 3219456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x030e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000010c	1	0
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: base_address: 0x030e0000 process_identifier: 2780 process_handle: 0x0000010c	1	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000010c	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2780 region_size: 8253440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000010c	1	0
NtGetContextThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x00000108	1	0
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: ¨/@aGâ base_address: 0x03400000 process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: base_address: 0x03400024 process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: base_address: 0x036fa824 process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: Úßè3ò base_address: 0x03b70964 process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: (t base_address: 0x03b70969 process_identifier: 2780 process_handle: 0x0000010c	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: 4846e7202b9b4e09dp-0bb6cc3f base_address: 0x03b7096d process_identifier: 2780 process_handle: 0x0000010c	1	1

%E5%B7%85%E3%82%BD%E5%B3%B0[%E9%95%BF%E4%B9%85]3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All