Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 28, 2021, 3:55 p.m.	Sept. 28, 2021, 4:15 p.m.

Size	4.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`990be1512e2d246835b3655ee103bf78`
SHA256	`a86744f9e727c3dd263352083cf53685c0f1eb934326ffa321d9e2cb529eec09`
CRC32	`D92BE9EC`
ssdeep	`98304:LZ73D973fsTQctBjLdJXQAEO+RPNHA/Hb6r6Rm4O00/BS+1HzBrBzdIKD:LJ9rfuQctBjvXoRPVAfbzO00I+9zf2Q`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

lv.exe "C:\Users\test22\AppData\Local\Temp\lv.exe"
1896
- vellum.exe "C:\Users\test22\AppData\Local\Temp\snarer\vellum.exe"
  2228
  - dllhost.exe dllhost.exe
    2724
  - cmd.exe cmd /c cmd < Conservava.bin
    668
    - cmd.exe cmd
      2532
      - findstr.exe findstr /V /R "^ThoXkCMHVjoPdjjUnRKBGXtNRUQHLahkBLuJHstxYDezGqPcGNiVmvZWpcusMyVDZWhEuCjiNfCeUKuQtxqYksMyMpAkkNITImxJMlftAZopTWwngfjsyXsIlo$" Ammirabile.bin
        1296
      - Mutato.exe.com Mutato.exe.com r
        2032
        
        Mutato.exe.com C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Mutato.exe.com r
        2540
      - PING.EXE ping 127.0.0.1
        2768
- kedger.exe "C:\Users\test22\AppData\Local\Temp\snarer\kedger.exe"
  2056

Name	Response	Post-Analysis Lookup
CjPiwXWAdOLiM.CjPiwXWAdOLiM

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 28, 2021, 3:55 p.m.			0	0
IsDebuggerPresent Sept. 28, 2021, 3:55 p.m.			0	0
IsDebuggerPresent Sept. 28, 2021, 3:55 p.m.			0	0

Command line console output was observed (43 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: Set kCRjoZWAem=DESKTOP- console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: Set tVRkhtoPHWpurqujRbYoCpdLPTjnal=QO5QU33 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: Set ivcVpgjTHMsWwGryViudwBvefShQazmaQsj=ping 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: Set ITHFNlX=MZ console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: <nul set /p = "%ITHFNlX%" > Mutato.exe.com console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: findstr /V /R "^ThoXkCMHVjoPdjjUnRKBGXtNRUQHLahkBLuJHstxYDezGqPcGNiVmvZWpcusMyVDZWhEuCjiNfCeUKuQtxqYksMyMpAkkNITImxJMlftAZopTWwngfjsyXsIlo$" Ammirabile.bin >> Mutato.exe.com console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: copy Uscita.bin r console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: start Mutato.exe.com r console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: %ivcVpgjTHMsWwGryViudwBvefShQazmaQsj% console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 28, 2021, 3:55 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA Sept. 28, 2021, 3:55 p.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 28, 2021, 3:55 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (50 out of 65536 events)

Time & API	Arguments	Status
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd6da49d kedger+0x4593ab @ 0x13fc793ab kedger+0x524bd2 @ 0x13fd44bd2 HeapWalk-0x1ce0 kernel32+0x0 @ 0x76e40000 0x20f9b8 0x20f9b8 0x20f9b8 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 42141 exception.address: 0x7fefd6da49d registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1
__exception__ Sept. 28, 2021, 3:47 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 2159280 registers.rsi: 1999256272 registers.r10: 0 registers.rbx: 0 registers.rsp: 2161088 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 2161112 registers.rdi: 5360648192 registers.rax: 1996963001 registers.r13: 0	1

Allocates read-write-execute memory (usually to unpack itself) (26 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73721000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72764000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73751000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72904000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72942000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73721000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:47 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:47 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077210000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72904000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72942000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72904000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72942000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 102400 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f1a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f22000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f24000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f25000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 28, 2021, 3:55 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Sept. 28, 2021, 3:55 p.m.	number_of_free_clusters: 3349197 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW Sept. 28, 2021, 3:55 p.m.	number_of_free_clusters: 3349197 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Local\Temp\nsb65D8.tmp\UAC.dll
file	C:\Program Files (x86)\foler\olader\acppage.dll
file	C:\Program Files (x86)\foler\olader\acledit.dll
file	C:\Users\test22\AppData\Local\Temp\snarer\kedger.exe
file	C:\Program Files (x86)\foler\olader\adprovider.dll
file	C:\Users\test22\AppData\Local\Temp\snarer\vellum.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Mutato.exe.com

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\nsb65D8.tmp\UAC.dll
file	C:\Users\test22\AppData\Local\Temp\snarer\vellum.exe

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping 127.0.0.1

Attempts to identify installed AV products by installation directory (2 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\AVG

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

reg_value

rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2532 resumed a thread in remote process 2032
NtResumeThread Sept. 28, 2021, 3:55 p.m.	thread_handle: 0x00000134 suspend_count: 0 process_identifier: 2032	1	0	0

Tries to unhook Windows functions monitored by Cuckoo (1 event)

Time & API	Arguments	Status	Return	Repeated
__anomaly__ Sept. 28, 2021, 3:47 p.m.	tid: 1304 message: Encountered 65537 exceptions, quitting. subcategory: exception function_name:	1	0	0

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.920754
FireEye	Gen:Variant.Razy.920754
ALYac	Gen:Variant.Razy.920754
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	multiple detections
APEX	Malicious
ClamAV	Win.Packed.Filerepmalware-9864117-0
Kaspersky	UDS:Backdoor.Win32.Agent
BitDefender	Gen:Variant.Razy.920754
Avast	NSIS:RansomX-gen [Ransom]
Emsisoft	Gen:Variant.Razy.920754 (B)
Sophos	Generic ML PUA (PUA)
eGambit	Unsafe.AI_Score_93%
Avira	HEUR/AGEN.1144143
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
GData	Win32.Trojan.BSE.HLJWVB
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R441088
McAfee	GenericRXAA-FA!990BE1512E2D
MAX	malware (ai score=89)
Malwarebytes	Malware.AI.753280343
SentinelOne	Static AI - Suspicious PE
AVG	NSIS:RansomX-gen [Ransom]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_60% (W)

lv.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All