Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 12, 2021, 10:05 a.m.	July 12, 2021, 10:07 a.m.

Size	10.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`8d963f6419d21ded2f29c17091107438`
SHA256	`cb3ee2933be2c128df39405895b6ad8874efa16bd7e6f970ae14453c263d7369`
CRC32	`6C84009D`
ssdeep	`196608:+DKxowryYBfH6YkajwvevxTgJGLi3DFdF9thY2eS8nBKr4ExxYu:+2WqjaepTgJ5nF9thY2esr44eu`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

SC_hack.exe "C:\Users\test22\AppData\Local\Temp\SC_hack.exe"
1108
- Pencil_6.exe "C:\Users\test22\AppData\Roaming\bimetalismo\Pencil_6.exe"
  2852
  - WinDefence.exe "C:\Users\test22\AppData\Roaming\Windows Defence\WinDefence.exe"
    1572
- Cargo_57.exe "C:\Users\test22\AppData\Roaming\Software\Cargo_57.exe"
  2084
- Move_95.exe "C:\Users\test22\AppData\Roaming\Software\Move_95.exe"
  1452
- soft.exe "C:\Users\test22\AppData\Roaming\Software\soft.exe"
  2696
  - msg1.exe C:\ProgramData\msg1.exe
    1316
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
194.147.115.140	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 12, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 12, 2021, 10:05 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 12, 2021, 10:05 a.m.			0	0
IsDebuggerPresent July 12, 2021, 10:05 a.m.			0	0
IsDebuggerPresent July 12, 2021, 10:05 a.m.			0	0
IsDebuggerPresent July 12, 2021, 10:05 a.m.			0	0
IsDebuggerPresent July 12, 2021, 10:05 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey July 12, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c07a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c07a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 12, 2021, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 12, 2021, 10:05 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (50 out of 65536 events)

Time & API	Arguments	Status
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd6da49d cargo_57+0x9a25cb @ 0x1404525cb cargo_57+0xa42ad2 @ 0x1404f2ad2 HeapWalk-0x1ce0 kernel32+0x0 @ 0x76e40000 0x61fbf8 0x61fbf8 0x61fbf8 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 42141 exception.address: 0x7fefd6da49d registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1
__exception__ July 12, 2021, 9:58 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 6419696 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 6421504 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 6421528 registers.rdi: 5364318208 registers.rax: 2001089726 registers.r13: 0	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 3718 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory July 12, 2021, 10:05 a.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73794000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 10:05 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ca1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 10:05 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a31000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 10:05 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737b1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 10:05 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 10:05 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727c1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 10:05 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72751000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 10:05 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72731000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 10:05 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72711000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 10:05 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726f1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 12, 2021, 10:05 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73361000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000010000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000011000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000012000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000013000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000014000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000015000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000016000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000017000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000018000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000019000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000001a000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000001b000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000001c000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000001d000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000001e000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000001f000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000021000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000022000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000023000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000024000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000025000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000026000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000027000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000028000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000029000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000002a000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000002b000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000002c000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000002d000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000002e000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000002f000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000030000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000031000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000032000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000033000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000034000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000035000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800
NtAllocateVirtualMemory July 12, 2021, 9:58 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000036000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff		-1073741800

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW July 12, 2021, 9:59 a.m.	total_number_of_free_bytes: 13699043328 free_bytes_available: 13699043328 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Roaming\bimetalismo\Pencil_6.exe
file	C:\ProgramData\msg1.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinDefence.lnk
file	C:\Users\test22\AppData\Roaming\Software\soft.exe
file	C:\Users\test22\AppData\Roaming\Software\Move_95.exe
file	C:\Users\test22\AppData\Roaming\Software\Cargo_57.exe
file	C:\Users\test22\AppData\Local\Temp\nsk65A9.tmp\System.dll

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinDefence.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinDefence.lnk

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Roaming\bimetalismo\Pencil_6.exe
file	C:\Users\test22\AppData\Roaming\Software\Cargo_57.exe
file	C:\Users\test22\AppData\Roaming\Software\Move_95.exe
file	C:\Users\test22\AppData\Roaming\Software\soft.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Roaming\Software\Move_95.exe
file	C:\Users\test22\AppData\Roaming\bimetalismo\Pencil_6.exe
file	C:\Users\test22\AppData\Roaming\Software\soft.exe
file	C:\Users\test22\AppData\Local\Temp\nsk65A9.tmp\System.dll

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 12, 2021, 10:05 a.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (1 event)

host

194.147.115.140

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinDefence.lnk

Tries to unhook Windows functions monitored by Cuckoo (1 event)

Time & API	Arguments	Status	Return	Repeated
__anomaly__ July 12, 2021, 9:58 a.m.	tid: 2276 message: Encountered 65537 exceptions, quitting. subcategory: exception function_name:	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

194.147.115.140:13402

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Elastic	malicious (high confidence)
McAfee	GenericRXAA-AA!F1CE5B50935C
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0056eac71 )
K7GW	Trojan ( 0056eac71 )
Arcabit	Trojan.Generic.D2C5A581
Cyren	W32/MSIL_Agent.BJO.gen!Eldorado
ESET-NOD32	multiple detections
APEX	Malicious
Kaspersky	Trojan-Dropper.Win32.Dapato.qtjp
BitDefender	Trojan.GenericKD.46507393
NANO-Antivirus	Trojan.Win32.ClipBanker.iplwit
Avast	Win32:PWSX-gen [Trj]
Emsisoft	Trojan.GenericKD.46507393 (B)
DrWeb	Trojan.MulDrop16.14723
McAfee-GW-Edition	GenericRXOY-GA!46ACC00758E7
FireEye	Trojan.GenericKD.46507393
Sophos	Generic ML PUA (PUA)
Avira	HEUR/AGEN.1141415
Antiy-AVL	Trojan/Generic.ASMalwS.315B011
Microsoft	Trojan:Win32/Glupteba!ml
ZoneAlarm	HEUR:Backdoor.Win32.Agent.gen
GData	MSIL.Trojan.PSE.1BQFDSS
Cynet	Malicious (score: 99)
AhnLab-V3	Unwanted/Win32.RL_Agent.R358175
ALYac	Trojan.GenericKD.46507393
MAX	malware (ai score=85)
VBA32	BScope.TrojanDropper.Scrop
Malwarebytes	Malware.AI.256785172
Rising	Stealer.Agent!1.D483 (CLASSIC)
Yandex	Trojan.Slntscn24.bVVB1s
Ikarus	Trojan.Win32.Krypt
Fortinet	MSIL/Agent.DFY!tr
AVG	Win32:PWSX-gen [Trj]
Qihoo-360	HEUR/QVM20.1.61B0.Malware.Gen

SC_hack.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All