Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 8, 2022, 10:55 p.m.	Jan. 8, 2022, 10:57 p.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a0bc1018301f353dc99fdb2c973dbbeb`
SHA256	`2d5407433a0d0a90d5ea37643701e5526a6d1e5cc1d1a35bd290a55913302901`
CRC32	`6021F2FC`
ssdeep	`24576:bEV6zCdkXp0oNKqScU6mA/jWcu1f/t2tzIvoGLtFMYWYkEaHNYK3pB1/:bEV4CdZgOAr/u92EoGLtV1NaT`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

ma.exe "C:\Users\test22\AppData\Local\Temp\ma.exe"
2312

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 8, 2022, 10:55 p.m.			0	0
IsDebuggerPresent Jan. 8, 2022, 10:55 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 8, 2022, 10:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00845d20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 8, 2022, 10:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00845d20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 8, 2022, 10:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00845ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 8, 2022, 10:55 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section
section	.dSAbqKc
section	.adata

The executable uses a known packer (1 event)

packer

ASProtect v1.23 RC1

One or more processes crashed (7 events)

Time & API	Arguments	Status
__exception__ Jan. 8, 2022, 10:55 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 39 0a e8 ff exception.symbol: ma+0x2e93d3 exception.instruction: in eax, dx exception.module: ma.exe exception.exception_code: 0xc0000096 exception.offset: 3052499 exception.address: 0x6e93d3 registers.esp: 1638256 registers.edi: 5665222 registers.eax: 1750617430 registers.ebp: 4358144 registers.edx: 22614 registers.ebx: 4194304 registers.esi: 5679846 registers.ecx: 20	1
__exception__ Jan. 8, 2022, 10:55 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: ma+0x2e9447 exception.instruction: in eax, dx exception.module: ma.exe exception.exception_code: 0xc0000096 exception.offset: 3052615 exception.address: 0x6e9447 registers.esp: 1638256 registers.edi: 5665222 registers.eax: 1447909480 registers.ebp: 4358144 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 5679846 registers.ecx: 10	1
__exception__ Jan. 8, 2022, 10:55 p.m.	stacktrace: ma+0x1e0bc0 @ 0x5e0bc0 mscorlib+0x38cf8b @ 0x7235cf8b mscorlib+0x308c92 @ 0x722d8c92 mscorlib+0x308be1 @ 0x722d8be1 mscorlib+0x308ac5 @ 0x722d8ac5 mscorlib+0x2d4b22 @ 0x722a4b22 microsoft+0x13fd86 @ 0x7372fd86 microsoft+0x13fd55 @ 0x7372fd55 microsoft+0x151999 @ 0x73741999 microsoft+0x13b1f4 @ 0x7372b1f4 0x3a82469 0x35aa0df system+0x1f9799 @ 0x70369799 system+0x1f92c8 @ 0x703692c8 system+0x1eca74 @ 0x7035ca74 system+0x1ec868 @ 0x7035c868 system+0x1f82b8 @ 0x703682b8 system+0x1ee54d @ 0x7035e54d system+0x1f70ea @ 0x703670ea system+0x1e56c0 @ 0x703556c0 system+0x1f8215 @ 0x70368215 system+0x1f6f75 @ 0x70366f75 system+0x1ee251 @ 0x7035e251 system+0x1ee229 @ 0x7035e229 system+0x1ee170 @ 0x7035e170 0x35ba08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75596de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75596e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x772c011a system+0x1ebc85 @ 0x7035bc85 system+0x1f683b @ 0x7036683b system+0x1a5e44 @ 0x70315e44 system+0x1fd8a0 @ 0x7036d8a0 system+0x1fd792 @ 0x7036d792 system+0x72eea0 @ 0x7089eea0 microsoft+0x129f21 @ 0x73719f21 microsoft+0x12ad86 @ 0x7371ad86 microsoft+0x12b191 @ 0x7371b191 0x3a8010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x738c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x738c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73977610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a01dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a01e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a01f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a0416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f5f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 exception.instruction_r: f3 a4 5f 5e 64 8f 05 00 00 00 00 83 c4 04 8b 45 exception.symbol: ma+0x1eb5c0 exception.instruction: movsb byte ptr es:[edi], byte ptr [esi] exception.module: ma.exe exception.exception_code: 0xc0000005 exception.offset: 2012608 exception.address: 0x5eb5c0 registers.esp: 1633040 registers.edi: 90911384 registers.eax: 0 registers.ebp: 1633064 registers.edx: 4294963200 registers.ebx: 0 registers.esi: 7757824 registers.ecx: 786432	1
__exception__ Jan. 8, 2022, 10:55 p.m.	stacktrace: ma+0x1e0bc0 @ 0x5e0bc0 mscorlib+0x38cf8b @ 0x7235cf8b mscorlib+0x308c92 @ 0x722d8c92 mscorlib+0x308be1 @ 0x722d8be1 mscorlib+0x308ac5 @ 0x722d8ac5 mscorlib+0x2d4b22 @ 0x722a4b22 microsoft+0x13fd86 @ 0x7372fd86 microsoft+0x13fd55 @ 0x7372fd55 microsoft+0x151999 @ 0x73741999 microsoft+0x13b1f4 @ 0x7372b1f4 0x3a82469 0x35aa0df system+0x1f9799 @ 0x70369799 system+0x1f92c8 @ 0x703692c8 system+0x1eca74 @ 0x7035ca74 system+0x1ec868 @ 0x7035c868 system+0x1f82b8 @ 0x703682b8 system+0x1ee54d @ 0x7035e54d system+0x1f70ea @ 0x703670ea system+0x1e56c0 @ 0x703556c0 system+0x1f8215 @ 0x70368215 system+0x1f6f75 @ 0x70366f75 system+0x1ee251 @ 0x7035e251 system+0x1ee229 @ 0x7035e229 system+0x1ee170 @ 0x7035e170 0x35ba08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75596de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75596e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x772c011a system+0x1ebc85 @ 0x7035bc85 system+0x1f683b @ 0x7036683b system+0x1a5e44 @ 0x70315e44 system+0x1fd8a0 @ 0x7036d8a0 system+0x1fd792 @ 0x7036d792 system+0x72eea0 @ 0x7089eea0 microsoft+0x129f21 @ 0x73719f21 microsoft+0x12ad86 @ 0x7371ad86 microsoft+0x12b191 @ 0x7371b191 0x3a8010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x738c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x738c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73977610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a01dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a01e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a01f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a0416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f5f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 exception.instruction_r: f3 a4 5f 5e 64 8f 05 00 00 00 00 83 c4 04 8b 45 exception.symbol: ma+0x1eb5c0 exception.instruction: movsb byte ptr es:[edi], byte ptr [esi] exception.module: ma.exe exception.exception_code: 0xc0000005 exception.offset: 2012608 exception.address: 0x5eb5c0 registers.esp: 1633040 registers.edi: 90911384 registers.eax: 786432 registers.ebp: 1633064 registers.edx: 1988574931 registers.ebx: 0 registers.esi: 7757824 registers.ecx: 786432	1
__exception__ Jan. 8, 2022, 10:55 p.m.	stacktrace: 0x3a83ae3 0x3a83a35 0x3a8334a 0x3a825c7 0x35aa0df system+0x1f9799 @ 0x70369799 system+0x1f92c8 @ 0x703692c8 system+0x1eca74 @ 0x7035ca74 system+0x1ec868 @ 0x7035c868 system+0x1f82b8 @ 0x703682b8 system+0x1ee54d @ 0x7035e54d system+0x1f70ea @ 0x703670ea system+0x1e56c0 @ 0x703556c0 system+0x1f8215 @ 0x70368215 system+0x1f6f75 @ 0x70366f75 system+0x1ee251 @ 0x7035e251 system+0x1ee229 @ 0x7035e229 system+0x1ee170 @ 0x7035e170 0x35ba08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75596de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75596e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x772c011a system+0x1ebc85 @ 0x7035bc85 system+0x1f683b @ 0x7036683b system+0x1a5e44 @ 0x70315e44 system+0x1fd8a0 @ 0x7036d8a0 system+0x1fd792 @ 0x7036d792 system+0x72eea0 @ 0x7089eea0 microsoft+0x129f21 @ 0x73719f21 microsoft+0x12ad86 @ 0x7371ad86 microsoft+0x12b191 @ 0x7371b191 0x3a8010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x738c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x738c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73977610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a01dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a01e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a01f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a0416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f5f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 a8 8b 45 a8 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x3a83ba9 registers.esp: 1633164 registers.edi: 1633244 registers.eax: 0 registers.ebp: 1633256 registers.edx: 8490472 registers.ebx: 8490472 registers.esi: 63241064 registers.ecx: 0	1
__exception__ Jan. 8, 2022, 10:55 p.m.	stacktrace: 0x3a83ae3 0x3a83a35 0x3a83376 0x3a825c7 0x35aa0df system+0x1f9799 @ 0x70369799 system+0x1f92c8 @ 0x703692c8 system+0x1eca74 @ 0x7035ca74 system+0x1ec868 @ 0x7035c868 system+0x1f82b8 @ 0x703682b8 system+0x1ee54d @ 0x7035e54d system+0x1f70ea @ 0x703670ea system+0x1e56c0 @ 0x703556c0 system+0x1f8215 @ 0x70368215 system+0x1f6f75 @ 0x70366f75 system+0x1ee251 @ 0x7035e251 system+0x1ee229 @ 0x7035e229 system+0x1ee170 @ 0x7035e170 0x35ba08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75596de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75596e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x772c011a system+0x1ebc85 @ 0x7035bc85 system+0x1f683b @ 0x7036683b system+0x1a5e44 @ 0x70315e44 system+0x1fd8a0 @ 0x7036d8a0 system+0x1fd792 @ 0x7036d792 system+0x72eea0 @ 0x7089eea0 microsoft+0x129f21 @ 0x73719f21 microsoft+0x12ad86 @ 0x7371ad86 microsoft+0x12b191 @ 0x7371b191 0x3a8010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x738c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x738c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73977610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a01dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a01e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a01f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a0416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f5f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 a8 8b 45 a8 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x3a83ba9 registers.esp: 1633164 registers.edi: 1633244 registers.eax: 0 registers.ebp: 1633256 registers.edx: 8490472 registers.ebx: 8490472 registers.esi: 63241064 registers.ecx: 0	1
__exception__ Jan. 8, 2022, 10:55 p.m.	stacktrace: 0x3a83ae3 0x3a83a35 0x3a833a2 0x3a825c7 0x35aa0df system+0x1f9799 @ 0x70369799 system+0x1f92c8 @ 0x703692c8 system+0x1eca74 @ 0x7035ca74 system+0x1ec868 @ 0x7035c868 system+0x1f82b8 @ 0x703682b8 system+0x1ee54d @ 0x7035e54d system+0x1f70ea @ 0x703670ea system+0x1e56c0 @ 0x703556c0 system+0x1f8215 @ 0x70368215 system+0x1f6f75 @ 0x70366f75 system+0x1ee251 @ 0x7035e251 system+0x1ee229 @ 0x7035e229 system+0x1ee170 @ 0x7035e170 0x35ba08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755962fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75596de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75596e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x772c011a system+0x1ebc85 @ 0x7035bc85 system+0x1f683b @ 0x7036683b system+0x1a5e44 @ 0x70315e44 system+0x1fd8a0 @ 0x7036d8a0 system+0x1fd792 @ 0x7036d792 system+0x72eea0 @ 0x7089eea0 microsoft+0x129f21 @ 0x73719f21 microsoft+0x12ad86 @ 0x7371ad86 microsoft+0x12b191 @ 0x7371b191 0x3a8010d DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738b2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x738c264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x738c2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739774ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73977610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a01dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a01e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a01f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a0416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f5f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x742d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x742d4de3 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 a8 8b 45 a8 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x3a83ba9 registers.esp: 1633164 registers.edi: 1633244 registers.eax: 0 registers.ebp: 1633256 registers.edx: 8490472 registers.ebx: 8490472 registers.esi: 63241064 registers.ecx: 0	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 522 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02110000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2022, 10:55 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Cookies

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\c5e504606bceb80648bcecb9e1bfe1ee.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\c5e504606bceb80648bcecb9e1bfe1ee.exe

The binary likely contains encrypted or compressed data indicative of a packer (6 events)

section

{u'size_of_data': u'0x00005c00', u'virtual_address': u'0x00002000', u'entropy': 7.9923533131705105, u'name': u'', u'virtual_size': u'0x00018000'}

entropy

7.99235331317

description