Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 1, 2025, 9:14 a.m.	March 1, 2025, 9:18 a.m.

Size	1.1MB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`a5008c9723d23257805632be4344625f`
SHA256	`e8e0b570da7fe439146d5ab370ae477b391f0ec38ef5bdf42d669bf68c341573`
CRC32	`3D419F79`
ssdeep	`24576:JzjssbYi5BP3Wx5cuWDHyEI6CmW6GrpZ:xsEleKPH6p`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsDLL - (no description) IsPE32 - (no description) UPX_Zero - UPX packed file

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,??0CBuyDlg@@QAE@PAVCWnd@@@Z
2576
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,??1CBuyDlg@@UAE@XZ
2660
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,??_7CBuyDlg@@6B@
2752
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,??_FCBuyDlg@@QAEXXZ
2840
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,?DoDataExchange@CBuyDlg@@MAEXPAVCDataExchange@@@Z
2940
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,?GetMessageMap@CBuyDlg@@MBEPBUAFX_MSGMAP@@XZ
3032
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,?OnBuydelete@CBuyDlg@@IAEXXZ
800
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,?OnBuysavecontinue@CBuyDlg@@IAEXXZ
2216
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,?OnBuysearch@CBuyDlg@@IAEXXZ
2396
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,?OnInitDialog@CBuyDlg@@UAEHXZ
2592
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,?OnOK@CBuyDlg@@MAEXXZ
2716
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,?_GetBaseMessageMap@CBuyDlg@@KGPBUAFX_MSGMAP@@XZ
2860
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,?_messageEntries@CBuyDlg@@0QBUAFX_MSGMAP_ENTRY@@B
2988
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,?messageMap@CBuyDlg@@1UAFX_MSGMAP@@B
2124
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,BR_GetDmpFilePath
2340
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,BR_GetExtCmd
2612
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,BR_GetTxtFilePath
2864
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,BR_Send
2056
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,BR_SetSvrAckHandler
2468
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\27.124.47.29.dll,
3064

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
27.124.3.252	Active	Moloch
31.192.232.23	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (19 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0
IsDebuggerPresent March 1, 2025, 9:14 a.m.			0	0

The executable uses a known packer (1 event)

packer

Armadillo v1.xx - v2.xx

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

One or more processes crashed (12 events)

Time & API	Arguments	Status
__exception__ March 1, 2025, 9:14 a.m.	stacktrace: ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x450c DllRegisterServer-0xcb64a mfc42+0x13290 @ 0x735c3290 ??0CBuyDlg@@QAE@PAVCWnd@@@Z+0x2f ?DoDataExchange@CBuyDlg@@MAEXPAVCDataExchange@@@Z-0x1bc 27+0x279f @ 0x1000279f rundll32+0x137d @ 0xf1137d rundll32+0x1326 @ 0xf11326 rundll32+0x1901 @ 0xf11901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c7 00 d8 a7 5b 73 c3 90 90 ec a7 5b 73 ef 6d 62 exception.instruction: mov dword ptr [eax], 0x735ba7d8 exception.exception_code: 0xc0000005 exception.symbol: ?classCDataPathProperty@CDataPathProperty@@2UCRuntimeClass@@B-0x4581 mfc42+0xa7cb exception.address: 0x735ba7cb registers.esp: 1898576 registers.edi: 0 registers.eax: 0 registers.ebp: 1898608 registers.edx: 9 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ March 1, 2025, 9:14 a.m.	stacktrace: ??1CBuyDlg@@UAE@XZ+0x31 ??_FCBuyDlg@@QAEXXZ-0xcf 27+0x2681 @ 0x10002681 rundll32+0x137d @ 0xf1137d rundll32+0x1326 @ 0xf11326 rundll32+0x1901 @ 0xf11901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 48 08 51 8b 55 fc 8b 42 04 50 8b 4d fc e8 a3 exception.instruction: mov ecx, dword ptr [eax + 8] exception.exception_code: 0xc0000005 exception.symbol: ?OnBuysearch@CBuyDlg@@IAEXXZ+0x135f ?_messageEntries@CBuyDlg@@0QBUAFX_MSGMAP_ENTRY@@B-0x33d6 27+0x4e6a exception.address: 0x10004e6a registers.esp: 588636 registers.edi: 0 registers.eax: 236 registers.ebp: 588640 registers.edx: 9 registers.ebx: 0 registers.esi: 524664 registers.ecx: 236	1
__exception__ March 1, 2025, 9:14 a.m.	stacktrace: rundll32+0x1326 @ 0xf11326 rundll32+0x1901 @ 0xf11901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 40 6f 00 10 50 49 00 10 70 5d 00 10 20 4b 00 10 exception.instruction: inc eax exception.exception_code: 0xc0000005 exception.symbol: ?messageMap@CBuyDlg@@1UAFX_MSGMAP@@B+0x8 27+0x82a8 exception.address: 0x100082a8 registers.esp: 3012812 registers.edi: 0 registers.eax: 327992 registers.ebp: 3012928 registers.edx: 9 registers.ebx: 0 registers.esi: 327992 registers.ecx: 0	1
__exception__ March 1, 2025, 9:14 a.m.	stacktrace: ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x450c DllRegisterServer-0xcb64a mfc42+0x13290 @ 0x735c3290 ??0CBuyDlg@@QAE@PAVCWnd@@@Z+0x2f ?DoDataExchange@CBuyDlg@@MAEXPAVCDataExchange@@@Z-0x1bc 27+0x279f @ 0x1000279f ??_FCBuyDlg@@QAEXXZ+0x11 ??0CBuyDlg@@QAE@PAVCWnd@@@Z-0xf 27+0x2761 @ 0x10002761 rundll32+0x137d @ 0xf1137d rundll32+0x1326 @ 0xf11326 rundll32+0x1901 @ 0xf11901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c7 00 d8 a7 5b 73 c3 90 90 ec a7 5b 73 ef 6d 62 exception.instruction: mov dword ptr [eax], 0x735ba7d8 exception.exception_code: 0xc0000005 exception.symbol: ?classCDataPathProperty@CDataPathProperty@@2UCRuntimeClass@@B-0x4581 mfc42+0xa7cb exception.address: 0x735ba7cb registers.esp: 1701788 registers.edi: 0 registers.eax: 0 registers.ebp: 1701820 registers.edx: 9 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ March 1, 2025, 9:14 a.m.	stacktrace: ?DoDataExchange@CBuyDlg@@MAEXPAVCDataExchange@@@Z+0x28 ?_GetBaseMessageMap@CBuyDlg@@KGPBUAFX_MSGMAP@@XZ-0x16a 27+0x2983 @ 0x10002983 rundll32+0x137d @ 0xf1137d rundll32+0x1326 @ 0xf11326 rundll32+0x1901 @ 0xf11901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 7e 20 00 75 3a 8b 45 0c 57 8b 7d 08 50 8b cf exception.instruction: cmp dword ptr [esi + 0x20], 0 exception.exception_code: 0xc0000005 exception.symbol: ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x43427 DllRegisterServer-0x8c72f mfc42+0x521ab exception.address: 0x736021ab registers.esp: 1506600 registers.edi: 0 registers.eax: 262472 registers.ebp: 1506604 registers.edx: 262472 registers.ebx: 0 registers.esi: 104 registers.ecx: 104	1
__exception__ March 1, 2025, 9:14 a.m.	stacktrace: ?OnBuydelete@CBuyDlg@@IAEXXZ+0x14 ?OnOK@CBuyDlg@@MAEXXZ-0x4e 27+0x363e @ 0x1000363e rundll32+0x137d @ 0xf1137d rundll32+0x1326 @ 0xf11326 rundll32+0x1901 @ 0xf11901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 48 20 51 ff 15 10 82 00 10 8b e5 5d c3 cc cc exception.instruction: mov ecx, dword ptr [eax + 0x20] exception.exception_code: 0xc0000005 exception.symbol: ?OnBuysearch@CBuyDlg@@IAEXXZ+0x2408 ?_messageEntries@CBuyDlg@@0QBUAFX_MSGMAP_ENTRY@@B-0x232d 27+0x5f13 exception.address: 0x10005f13 registers.esp: 1441116 registers.edi: 0 registers.eax: 104 registers.ebp: 1441132 registers.edx: 9 registers.ebx: 0 registers.esi: 328002 registers.ecx: 104	1
__exception__ March 1, 2025, 9:14 a.m.	stacktrace: ?OnBuysavecontinue@CBuyDlg@@IAEXXZ+0x28 ?OnBuydelete@CBuyDlg@@IAEXXZ-0x562 27+0x30c8 @ 0x100030c8 rundll32+0x137d @ 0xf1137d rundll32+0x1326 @ 0xf11326 rundll32+0x1901 @ 0xf11901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 56 20 8b f8 8b 8f b8 00 00 00 33 c0 89 4d e8 exception.instruction: mov edx, dword ptr [esi + 0x20] exception.exception_code: 0xc0000005 exception.symbol: ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x304e5 DllRegisterServer-0x9f671 mfc42+0x3f269 exception.address: 0x735ef269 registers.esp: 2881184 registers.edi: 0 registers.eax: 3389952 registers.ebp: 2881248 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 3365648	1
__exception__ March 1, 2025, 9:14 a.m.	stacktrace: ?OnBuysearch@CBuyDlg@@IAEXXZ+0x46 ?_messageEntries@CBuyDlg@@0QBUAFX_MSGMAP_ENTRY@@B-0x46ef 27+0x3b51 @ 0x10003b51 rundll32+0x137d @ 0xf1137d rundll32+0x1326 @ 0xf11326 rundll32+0x1901 @ 0xf11901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 56 20 8b f8 8b 8f b8 00 00 00 33 c0 89 4d e8 exception.instruction: mov edx, dword ptr [esi + 0x20] exception.exception_code: 0xc0000005 exception.symbol: ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x304e5 DllRegisterServer-0x9f671 mfc42+0x3f269 exception.address: 0x735ef269 registers.esp: 981340 registers.edi: 0 registers.eax: 5355896 registers.ebp: 981404 registers.edx: 0 registers.ebx: 982476 registers.esi: 0 registers.ecx: 5331584	1
__exception__ March 1, 2025, 9:14 a.m.	stacktrace: rundll32+0x137d @ 0xf1137d rundll32+0x1326 @ 0xf11326 rundll32+0x1901 @ 0xf11901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 46 50 85 c0 74 08 50 e8 af e7 fe ff eb 09 8b exception.instruction: mov eax, dword ptr [esi + 0x50] exception.exception_code: 0xc0000005 exception.symbol: ?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B+0x4222f DllRegisterServer-0x8d927 mfc42+0x50fb3 exception.address: 0x73600fb3 registers.esp: 587660 registers.edi: 0 registers.eax: 588092 registers.ebp: 587764 registers.edx: 9 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ March 1, 2025, 9:14 a.m.	stacktrace: ?OnOK@CBuyDlg@@MAEXXZ+0x45 ?OnBuysearch@CBuyDlg@@IAEXXZ-0x43a 27+0x36d1 @ 0x100036d1 rundll32+0x137d @ 0xf1137d rundll32+0x1326 @ 0xf11326 rundll32+0x1901 @ 0xf11901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 78 04 00 75 09 c7 45 f8 00 00 00 00 eb 17 8b exception.instruction: cmp dword ptr [eax + 4], 0 exception.exception_code: 0xc0000005 exception.symbol: ?OnBuysearch@CBuyDlg@@IAEXXZ+0x1201 ?_messageEntries@CBuyDlg@@0QBUAFX_MSGMAP_ENTRY@@B-0x3534 27+0x4d0c exception.address: 0x10004d0c registers.esp: 2291700 registers.edi: 0 registers.eax: 220 registers.ebp: 2291708 registers.edx: 9 registers.ebx: 0 registers.esi: 131450 registers.ecx: 220	1
__exception__ March 1, 2025, 9:14 a.m.	stacktrace: rundll32+0x1326 @ 0xf11326 rundll32+0x1901 @ 0xf11901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 11 01 00 00 00 00 00 00 03 00 00 00 03 00 00 00 exception.instruction: adc dword ptr [ecx], eax exception.exception_code: 0xc0000005 exception.symbol: ?OnBuysearch@CBuyDlg@@IAEXXZ+0x4735 ?messageMap@CBuyDlg@@1UAFX_MSGMAP@@B-0x60 27+0x8240 exception.address: 0x10008240 registers.esp: 1899028 registers.edi: 0 registers.eax: 65928 registers.ebp: 1899144 registers.edx: 9 registers.ebx: 0 registers.esi: 65928 registers.ecx: 0	1
__exception__ March 1, 2025, 9:14 a.m.	stacktrace: rundll32+0x1326 @ 0xf11326 rundll32+0x1901 @ 0xf11901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ed 2a 00 10 40 82 00 10 40 6f 00 10 50 49 00 10 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: ?_messageEntries@CBuyDlg@@0QBUAFX_MSGMAP_ENTRY@@B+0x60 ??_7CBuyDlg@@6B@-0x8 27+0x82a0 exception.address: 0x100082a0 registers.esp: 1832860 registers.edi: 0 registers.eax: 131460 registers.ebp: 1832976 registers.edx: 9 registers.ebx: 0 registers.esi: 131460 registers.ecx: 0	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 171 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10008000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73521000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10008000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73521000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10008000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73521000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10008000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73521000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10008000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73521000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10008000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73521000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 1, 2025, 9:14 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733c1000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (3 events)

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0011b4b8

size

0x000004fc

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0011b0f0

size

0x000003c8

name

None

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0011b9b8

size

0x00000108

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00111000', u'virtual_address': u'0x0000a000', u'entropy': 7.26540420330232, u'name': u'.data', u'virtual_size': u'0x00110d0c'}

entropy

7.2654042033

description

A section with a high entropy has been found

entropy

0.957894736842

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 events)

host	27.124.3.252
host	31.192.232.23

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_70% (D)
Elastic	malicious (high confidence)
APEX	Malicious
Kaspersky	HEUR:Backdoor.Win32.Lotok.gen
Rising	Trojan.Kryptik!1.E27A (CLASSIC)
McAfeeD	ti!E8E0B570DA7F
Jiangmin	Heur:TrojanDropper.TDSS
Google	Detected
Antiy-AVL	Trojan/Win32.Agent
Kingsoft	Win32.Hack.Lotok.gen
DeepInstinct	MALICIOUS
Ikarus	Backdoor.Win32.Zegost
huorong	TrojanDownloader/Lotok.al
Paloalto	generic.ml

27.124.47.29.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All