Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 22, 2023, 8:44 a.m.	April 22, 2023, 8:47 a.m.

Size	5.0MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`36ec5db7a7da85a85416870098529108`
SHA256	`b86b793d720b43d3fb1525f98758256d1ccf4ed543dc1bd01b54921f7143fb46`
CRC32	`E4768550`
ssdeep	`49152:SZWMqic3obV0//WmD1ufCiORefaMG2wyFK7O3c194MXxdhtF4My9KMlenxepLMz:JMNRb6HdjSZZFKy7MhPOg`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check IsPE64 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware

Setup.exe "C:\Users\test22\AppData\Local\Temp\Setup.exe"
2628

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
211.101.237.65	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section
section	.themida

One or more processes crashed (50 out of 65536 events)

Time & API	Arguments	Status
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d setup+0x55aa03 @ 0x91aa03 setup+0x55a9ce @ 0x91a9ce HeapWalk-0x1ce0 kernel32+0x0 @ 0x76c10000 0x15fd68 0x15fd68 0x15fd68 GetProcAddress+0xe0 NlsValidateLocale-0x90 kernelbase+0x4210 @ 0x7fefd4f4210 setup+0x38f5f1 @ 0x74f5f1 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 0x2abce000000030 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 42141 exception.address: 0x7fefd4fa49d registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 1994472144 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441152 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1441160 registers.rdi: 5619712 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: RtlRestoreContext+0x293 __chkstk-0x1fe ntdll+0x50bd2 @ 0x76d80bd2 exception.instruction_r: 48 cf 48 83 ec 30 4c 8b c4 48 81 ec d0 04 00 00 exception.symbol: RtlRestoreContext+0x293 __chkstk-0x1fe ntdll+0x50bd2 exception.instruction: iretq exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 330706 exception.address: 0x76d80bd2 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1
__exception__ April 22, 2023, 8:44 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 1439328 registers.rsi: 0 registers.r10: 0 registers.rbx: 32 registers.rsp: 1441240 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 1993721121 registers.rdi: 0 registers.rax: 1995681412 registers.r13: 0	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 5779 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000010000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000011000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000012000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000013000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000014000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000015000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000016000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000017000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000018000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000019000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000001a000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000001b000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000001c000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000001d000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000001e000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000001f000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000021000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000022000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000023000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000024000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000025000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000026000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000027000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000028000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000029000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000002a000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000002b000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000002c000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000002d000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000002e000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000002f000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000030000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000031000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000032000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000033000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000034000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000035000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000036000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000037000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000038000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000039000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000003a000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000003b000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000003c000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000003d000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000003e000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000003f000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000040000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000041000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0009a000', u'virtual_address': u'0x00002000', u'entropy': 7.9997029467672105, u'name': u' ', u'virtual_size': u'0x0017a000'}

entropy

7.99970294677

description

A section with a high entropy has been found

Communicates with host for which no DNS query was performed (1 event)

host

211.101.237.65

DEP was bypassed by marking part of the stack executable by the process Setup.exe (8 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000015c000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000015d000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000015e000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000015f000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000015c000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000015d000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000015e000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800
NtAllocateVirtualMemory April 22, 2023, 8:44 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000000015f000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	-1073741800

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Elastic	malicious (high confidence)
CrowdStrike	win/malicious_confidence_100% (D)
Symantec	ML.Attribute.HighConfidence
Avast	FileRepMalware [Pws]
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.36ec5db7a7da85a8
Sophos	Mal/Generic-S
Microsoft	Trojan:MSIL/Vidar.C!MTB
Google	Detected
McAfee	Artemis!36EC5DB7A7DA
Ikarus	Trojan.Win32.Generic
AVG	FileRepMalware [Pws]
DeepInstinct	MALICIOUS

Tries to unhook Windows functions monitored by Cuckoo (1 event)

Time & API	Arguments	Status	Return	Repeated
__anomaly__ April 22, 2023, 8:44 a.m.	tid: 2632 message: Encountered 65537 exceptions, quitting. subcategory: exception function_name:	1	0	0

Setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All