Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 17, 2021, 10:45 p.m.	March 17, 2021, 10:47 p.m.

Size	498.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e83b5f2b03ffe236917d448f42937528`
SHA256	`978a48a2dabf47b1f89f176583063b5b52f68ef81dc48e6f4acf38a16ef3680f`
CRC32	`ECB411D9`
ssdeep	`12288:gqFIlDHGjf9HdagGizzBwQQGPJM5r6rC25NRHQTqW:9Wsjf9GizzBwx185NRwTqW`
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero escalate_priv - Escalade priviledges win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check HasRichSignature - Rich Signature Check

NotepadPlus.txt "C:\Users\test22\AppData\Local\Temp\NotepadPlus.txt"
2216
- NotepadPlus.txt "C:\Users\test22\AppData\Local\Temp\NotepadPlus.txt"
  2704

Name	Response	Post-Analysis Lookup
premiumfonts.net	A 185.215.113.33	185.215.113.33

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.33	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 17, 2021, 10:46 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 17, 2021, 10:46 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	HiudKbJu
section	ALaPiFGn

One or more processes crashed (50 out of 32439 events)

Time & API	Arguments	Status
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 4849664 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 4915200 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 4980736 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5046272 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5111808 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5177344 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5242880 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5308416 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5373952 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5439488 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5505024 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5570560 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5636096 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5701632 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5767168 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5832704 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5898240 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 5963776 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 6029312 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 6094848 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 6160384 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 6225920 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 6291456 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 6422528 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 6488064 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 6619136 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 6684672 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 8847360 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 8912896 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 8978432 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9043968 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9109504 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9175040 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9240576 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9306112 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9371648 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9437184 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9502720 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9568256 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9633792 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9699328 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9764864 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9830400 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9895936 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 9961472 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 10027008 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 10092544 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 10158080 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 10223616 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1
__exception__ March 17, 2021, 10:45 p.m.	stacktrace: notepadplus+0x8e337 @ 0x48e337 notepadplus+0x2c248 @ 0x42c248 exception.instruction_r: 8b 3f eb 04 bd f7 02 e8 eb 04 4a 8c 25 2e 5f 81 exception.symbol: notepadplus+0x8e74b exception.instruction: mov edi, dword ptr [edi] exception.module: NotepadPlus.txt exception.exception_code: 0xc0000005 exception.offset: 583499 exception.address: 0x48e74b registers.esp: 891900 registers.edi: 10289152 registers.eax: 2714886306 registers.ebp: 891912 registers.edx: 1938870862 registers.ebx: 998776575 registers.esi: 2416619625 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 17, 2021, 10:45 p.m.	process_identifier: 2216 region_size: 503808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:45 p.m.	process_identifier: 2216 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 17, 2021, 10:45 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773bf000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:46 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:46 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 17, 2021, 10:46 p.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 17, 2021, 10:46 p.m.	thread_identifier: 2560 thread_handle: 0x000000cc process_identifier: 2704 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\NotepadPlus.txt track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\NotepadPlus.txt" filepath_r: C:\Users\test22\AppData\Local\Temp\NotepadPlus.txt stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000d0	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000060 process_name: mobsync.exe process_identifier: 2140	1	1
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000060 process_name: pw.exe process_identifier: 2360	1	1
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000060 process_name: taskhost.exe process_identifier: 752	1	1
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000060 process_name: NotepadPlus.txt process_identifier: 2216	1	1

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

CrowdStrike	win/malicious_confidence_80% (W)
Kaspersky	HEUR:Backdoor.Win32.Xaparo.gen
Paloalto	generic.ml
Rising	Backdoor.Xaparo!8.11758 (CLOUD)
Zillya	Backdoor.Xaparo.Win32.72
ZoneAlarm	HEUR:Backdoor.Win32.Xaparo.gen
Cynet	Malicious (score: 90)

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002f000', u'virtual_address': u'0x00060000', u'entropy': 7.993357390734667, u'name': u'HiudKbJu', u'virtual_size': u'0x0002f000'}

entropy

7.99335739073

description

A section with a high entropy has been found

entropy

0.384065372829

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (27 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000060 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000064 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000068 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x0000006c process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000070 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000074 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000078 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x0000007c process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000080 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000084 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000088 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x0000008c process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000090 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000094 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x00000098 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x0000009c process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x000000a0 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x000000a4 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x000000a8 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x000000ac process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x000000b0 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x000000b4 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x000000b8 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x000000bc process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x000000c0 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x000000c4 process_name: NotepadPlus.txt process_identifier: 2216		0	0
Process32NextW March 17, 2021, 10:45 p.m.	snapshot_handle: 0x000000c8 process_name: NotepadPlus.txt process_identifier: 2216		0	0

Allocates execute permission to another process indicative of possible code injection (5 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory March 17, 2021, 10:46 p.m.	process_identifier: 2704 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000d0		3221225496
NtAllocateVirtualMemory March 17, 2021, 10:46 p.m.	process_identifier: 2704 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000d0	1	0
NtProtectVirtualMemory March 17, 2021, 10:46 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773bf000 process_handle: 0x000000d0	1	0
NtAllocateVirtualMemory March 17, 2021, 10:46 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000d0	1	0
NtAllocateVirtualMemory March 17, 2021, 10:46 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000d0	1	0

Expresses interest in specific running processes (1 event)

process: potential process injection target

explorer.exe

Executed a process and injected code into it, probably while unpacking (8 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 17, 2021, 10:46 p.m.	thread_identifier: 2560 thread_handle: 0x000000cc process_identifier: 2704 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\NotepadPlus.txt track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\NotepadPlus.txt" filepath_r: C:\Users\test22\AppData\Local\Temp\NotepadPlus.txt stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000d0	1	1
NtGetContextThread March 17, 2021, 10:46 p.m.	thread_handle: 0x000000cc	1	0
NtAllocateVirtualMemory March 17, 2021, 10:46 p.m.	process_identifier: 2704 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000d0		3221225496
NtUnmapViewOfSection March 17, 2021, 10:46 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2704 process_handle: 0x000000d0	1	0
NtUnmapViewOfSection March 17, 2021, 10:46 p.m.	base_address: 0x00400000 region_size: 1994129408 process_identifier: 2704 process_handle: 0x000000d0		3221225497
NtAllocateVirtualMemory March 17, 2021, 10:46 p.m.	process_identifier: 2704 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000d0	1	0
NtAllocateVirtualMemory March 17, 2021, 10:46 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000d0	1	0
NtAllocateVirtualMemory March 17, 2021, 10:46 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000d0	1	0

NotepadPlus.txt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All