Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 14, 2023, 7:55 a.m.	Nov. 14, 2023, 7:59 a.m.

Size	12.5MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`57e0cde42e1f91a39c73cdb17f48f03e`
SHA256	`7ef4fce93908840ce8083e0a717e82f80720e5fa5d3b7820f3d6ceb9c23bfbbd`
CRC32	`C1D026FC`
ssdeep	`196608:T3+ONF3D9d/t5q7cvJa21FlU028hS2fV13mz9vElUaaLSBwo8Mc5h9Bf/Yti2SAH:VT9d/tovUFNhDfVRmz+MEEj`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description)

ummanew.exe "C:\Users\test22\AppData\Local\Temp\ummanew.exe"
2040
- InstallSetup5.exe "C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe"
  2136
  - Broom.exe C:\Users\test22\AppData\Local\Temp\Broom.exe
    2344
- toolspub2.exe "C:\Users\test22\AppData\Local\Temp\toolspub2.exe"
  2184
- e0cbefcb1af40c7d4aff4aca26621a98.exe "C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
  2244
- latestX.exe "C:\Users\test22\AppData\Local\Temp\latestX.exe"
  2292

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.174.174.220	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 14, 2023, 7:55 a.m.			0	0
IsDebuggerPresent Nov. 14, 2023, 7:55 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 14, 2023, 7:55 a.m.		1	1	0

One or more processes crashed (50 out of 131072 events)

Time & API	Arguments	Status
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77919e31 GetProfileStringW+0x5b74 EnumResourceNamesW-0x40041 kernel32+0x43120 @ 0x75823120 toolspub2+0x25833 @ 0x425833 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77919e58 registers.esp: 1629608 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629652 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 8847360	1
__exception__ Nov. 14, 2023, 7:55 a.m.	stacktrace: LocalFlags+0x50 LocalHandle-0xee kernel32+0x831df @ 0x758631df toolspub2+0x2583b @ 0x42583b exception.instruction_r: 80 78 07 05 0f 84 27 56 02 00 f6 40 07 3f 0f 84 exception.symbol: RtlGetUserInfoHeap+0x4e RtlQueueWorkItem-0x3e7 ntdll+0x67cbf exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 425151 exception.address: 0x77907cbf registers.esp: 1629660 registers.edi: 8847360 registers.eax: 4294967288 registers.ebp: 1629712 registers.edx: 6 registers.ebx: 0 registers.esi: 0 registers.ecx: 2188	1

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2040 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01260000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2040 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01260000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01092000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0109a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 77824 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0088c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4161536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 14, 2023, 7:55 a.m.	process_identifier: 2344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (8 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Nov. 14, 2023, 7:56 a.m.	total_number_of_free_bytes: 9897762816 free_bytes_available: 9897762816 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 14, 2023, 7:56 a.m.	total_number_of_free_bytes: 9961676800 free_bytes_available: 9961676800 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 14, 2023, 7:56 a.m.	total_number_of_free_bytes: 10010918912 free_bytes_available: 10010918912 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 14, 2023, 7:56 a.m.	total_number_of_free_bytes: 10010918912 free_bytes_available: 10010918912 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 14, 2023, 7:56 a.m.	total_number_of_free_bytes: 10010918912 free_bytes_available: 10010918912 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 14, 2023, 7:56 a.m.	total_number_of_free_bytes: 10014031872 free_bytes_available: 10014031872 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 14, 2023, 7:56 a.m.	total_number_of_free_bytes: 10014031872 free_bytes_available: 10014031872 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 14, 2023, 7:56 a.m.	total_number_of_free_bytes: 10014031872 free_bytes_available: 10014031872 root_path: C: total_number_of_bytes: 34252779520	1	1

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\Broom.exe
file	C:\Users\test22\AppData\Local\Temp\latestX.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe
file	C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
file	C:\Users\test22\AppData\Local\Temp\latestX.exe

Drops an executable to the user AppData folder (13 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUPUI.DLL
file	C:\Users\test22\AppData\Local\Temp\Broom.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUP.DLL
file	C:\Users\test22\AppData\Local\Temp\InstallSetup5.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUP.DLL
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\ummanew.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUPUI.DLL

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00c78a00', u'virtual_address': u'0x00002000', u'entropy': 7.937255044820136, u'name': u'.text', u'virtual_size': u'0x00c78944'}

entropy

7.93725504482

description

A section with a high entropy has been found

entropy

0.999843413584

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

185.174.174.220

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Drops 156 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 156 events)

file	C:\Windows\Prefetch\RUNDLL32.EXE-DE9673F9.pf
file	C:\Windows\Prefetch\PYTHON.EXE-C663CFDC.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-305B5E54.pf
file	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf
file	C:\Windows\Prefetch\THUNDERBIRD.EXE-A0DA674F.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-4F28A26F.pf
file	c:\Windows\Temp\fwtsqmfile01.sqm
file	C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-D0E66F4A.pf
file	C:\Windows\Prefetch\86.0.4240.111_CHROME_INSTALLE-AF26656A.pf
file	C:\Windows\Prefetch\CSC.EXE-BE9AC2DF.pf
file	c:\Windows\Temp\fwtsqmfile00.sqm
file	C:\Windows\Prefetch\SEARCHPROTOCOLHOST.EXE-0CB8CADE.pf
file	C:\Windows\Prefetch\SOFTWARE_REPORTER_TOOL.EXE-EB18F4FF.pf
file	C:\Users\test22\AppData\Local\Temp\~DF8C0F100C7231519A.TMP
file	C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf
file	C:\Windows\Prefetch\SLUI.EXE-724E99D9.pf
file	C:\Windows\Prefetch\MSCORSVW.EXE-57D17DAF.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file	C:\Windows\Prefetch\PING.EXE-7E94E73E.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file	C:\Windows\Prefetch\IEXPLORE.EXE-4B6C9213.pf
file	C:\Windows\Prefetch\MSCORSVW.EXE-C3C515BD.pf
file	C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf
file	C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file	C:\Windows\Prefetch\CHROME.EXE-D999B1BA.pf
file	C:\Windows\Prefetch\IMKRMIG.EXE-AAA206C5.pf
file	C:\Windows\Prefetch\UNPACK200.EXE-E4DF1A4E.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-40DD444D.pf
file	C:\Windows\Prefetch\7ZFM.EXE-22E64FB8.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-B0D5C571.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-34B7EAE8.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file	C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf
file	C:\Windows\Prefetch\AgGlFgAppHistory.db
file	C:\Windows\Prefetch\JAVAW.EXE-D0AA8787.pf
file	C:\Windows\Prefetch\SSVAGENT.EXE-0CD059B7.pf
file	C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file	C:\Windows\Prefetch\OSE.EXE-2B23CA4C.pf
file	C:\Windows\Prefetch\INSTALLER.EXE-60163557.pf
file	C:\Windows\Prefetch\PINGSENDER.EXE-8E79128B.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file	C:\Windows\Prefetch\AgRobust.db
file	C:\Windows\Prefetch\ICACLS.EXE-B19DE1F7.pf
file	C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file	C:\Windows\Prefetch\GOOGLEUPDATECOMREGISTERSHELL6-BB6760AF.pf
file	C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf
file	C:\Windows\Prefetch\7ZG.EXE-0F8C4081.pf
file	C:\Windows\Prefetch\CMD.EXE-AC113AA8.pf

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 438 events)

file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Windows\Prefetch\SNIPPINGTOOL.EXE-EFFDAFDE.pf
file	C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\dropbox_logo_text_2015-vfld7_dJ8[1].svg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\override[1].css
file	C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\desktop.ini
file	C:\Windows\Prefetch\MAINTENANCESERVICE.EXE-FA0B1B99.pf
file	C:\Users\test22\AppData\Local\Temp\{E7573238-1B24-467B-B5A4-0BE967E0BF64}.tmp
file	C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U06NAGU2\mnrstrtr[1].js
file	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000026.log
file	C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file	C:\Windows\Prefetch\CVTRES.EXE-2B9D810D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png
file	C:\Windows\Prefetch\RUNDLL32.EXE-8C11D845.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\keys_js5[2].htm
file	C:\Windows\Prefetch\WERMGR.EXE-0F2AC88C.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-4366A668.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-87432CEE.pf
file	C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file	C:\Windows\Prefetch\AgAppLaunch.db
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file	c:\Windows\Temp\TS_7FC6.tmp
file	C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\AdPostInjectAsync[1].nhn
file	C:\Windows\Prefetch\AgGlGlobalHistory.db
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\ipsec[4].htm
file	C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\invalidcert[1]
file	C:\Windows\Prefetch\DLLHOST.EXE-97F6A314.pf
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(201804051522349E8).log
file	c:\Windows\Temp\TS_88E1.tmp
file	C:\Users\test22\AppData\Local\Temp\RD25B7.tmp
file	C:\Windows\Prefetch\JAVAWS.EXE-FE17358E.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\TopNav[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\554576[1].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\getLoginStatus[2].nhn
file	C:\Windows\Prefetch\ELEVATION_SERVICE.EXE-9F359A74.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-B95715F5.pf
file	C:\Users\test22\AppData\Local\Temp\7zO4B1094CA\test.docx
file	c:\Windows\Temp\FXSAPIDebugLogFile.txt

Tries to unhook Windows functions monitored by Cuckoo (1 event)

Time & API	Arguments	Status	Return	Repeated
__anomaly__ Nov. 14, 2023, 7:56 a.m.	tid: 2188 message: Encountered 65537 exceptions, quitting. subcategory: exception function_name:	1	0	0

Detects VirtualBox through the presence of a file (1 event)

file	C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf

ummanew.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All