Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 6, 2024, 10:48 a.m.	Jan. 6, 2024, 10:56 a.m.

Size	1.5MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`d51470d48757a38f3023a9d40a081056`
SHA256	`d248fd99ca4fe5a3a0b41829aacf20c91bf18c6b991d7f0061c1fe3716626578`
CRC32	`D4675B7C`
ssdeep	`24576:jbvRkQZEjGCqWfwg1piyraiHWD/MqMCPp1k72IWkiqGcpJGhBjikjQcfgcWe9:/b6j9qWfwgqD/MqMCPp1W2IWWpyBjzQU`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file EnigmaProtector_IN - EnigmaProtector

nocry.exe "C:\Users\test22\AppData\Local\Temp\nocry.exe"
2540
- powershell.exe "powershell" Get-MpPreference -verbose
  2672
- cmd.exe "cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
  2852
  - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    2904
- cmd.exe "cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
  2952
  - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    2996
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
ipinfo.io	A 34.117.186.192	34.117.186.192

IP Address	Status	Action
164.124.101.2	Active	Moloch
193.233.132.62	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 193.233.132.62:50500 -> 192.168.56.101:49168	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 193.233.132.62:50500	2049060	ET MALWARE Suspected RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49168	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	Malware Command and Control Activity Detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49168	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (14 events)

Time & API	Arguments	Status	Return
GetComputerNameA Jan. 6, 2024, 10:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 6, 2024, 10:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 6, 2024, 10:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 6, 2024, 10:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 6, 2024, 10:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 6, 2024, 10:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 6, 2024, 10:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 6, 2024, 10:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 6, 2024, 10:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 6, 2024, 10:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 6, 2024, 10:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 6, 2024, 10:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 6, 2024, 10:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 6, 2024, 10:48 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 6, 2024, 10:48 a.m.			0	0
IsDebuggerPresent Jan. 6, 2024, 10:48 a.m.			0	0
IsDebuggerPresent Jan. 6, 2024, 10:48 a.m.			0	0
IsDebuggerPresent Jan. 6, 2024, 10:48 a.m.			0	0
IsDebuggerPresent Jan. 6, 2024, 10:48 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b1d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b1d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b1d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a8d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a8d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a8d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a8d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a8d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a8d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051ac50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051ac50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051ac50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b1d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b1d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b1d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b1d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b1d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b1d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b1d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b1d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b1d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b1d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051a4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 6, 2024, 10:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051b150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 6, 2024, 10:48 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXT

One or more processes crashed (29 events)

Time & API	Arguments	Status
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x270f88 @ 0xf50f88 nocry+0x26a364 @ 0xf4a364 nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995400 registers.edi: 17051888 registers.eax: 0 registers.ebp: 3995428 registers.edx: 2 registers.ebx: 1086550947 registers.esi: 14409728 registers.ecx: 39336200	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x270f88 @ 0xf50f88 nocry+0x26a364 @ 0xf4a364 nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995400 registers.edi: 3995400 registers.eax: 0 registers.ebp: 3995428 registers.edx: 2 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995436	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x270f88 @ 0xf50f88 nocry+0x26a364 @ 0xf4a364 nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15a5 exception.instruction: div eax exception.module: nocry.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0xea15a5 registers.esp: 3995400 registers.edi: 3995400 registers.eax: 0 registers.ebp: 3995428 registers.edx: 0 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995436	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x268a0b @ 0xf48a0b nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 15813288 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 10215424 registers.esi: 14409728 registers.ecx: 14409728	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x268a0b @ 0xf48a0b nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x268a0b @ 0xf48a0b nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x268a0b @ 0xf48a0b nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x268a0b @ 0xf48a0b nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x268a0b @ 0xf48a0b nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x268a0b @ 0xf48a0b nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x268a0b @ 0xf48a0b nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x268d86 @ 0xf48d86 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15a5 exception.instruction: div eax exception.module: nocry.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0xea15a5 registers.esp: 3995312 registers.edi: 15813288 registers.eax: 0 registers.ebp: 3995340 registers.edx: 0 registers.ebx: 10215424 registers.esi: 14409728 registers.ecx: 0	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x268d86 @ 0xf48d86 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15340987 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x268f18 @ 0xf48f18 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 15813288 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 10215424 registers.esi: 14409728 registers.ecx: 0	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x268f18 @ 0xf48f18 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x268f18 @ 0xf48f18 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15a5 exception.instruction: div eax exception.module: nocry.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0xea15a5 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 0 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x268f18 @ 0xf48f18 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15a5 exception.instruction: div eax exception.module: nocry.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0xea15a5 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 0 registers.ebx: 15340987 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x269107 @ 0xf49107 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15a5 exception.instruction: div eax exception.module: nocry.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0xea15a5 registers.esp: 3995312 registers.edi: 15813288 registers.eax: 0 registers.ebp: 3995340 registers.edx: 0 registers.ebx: 10215424 registers.esi: 14409728 registers.ecx: 0	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x269107 @ 0xf49107 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15340987 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x269107 @ 0xf49107 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15a5 exception.instruction: div eax exception.module: nocry.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0xea15a5 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 0 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x269107 @ 0xf49107 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15a5 exception.instruction: div eax exception.module: nocry.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0xea15a5 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 0 registers.ebx: 15340987 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x269107 @ 0xf49107 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15a5 exception.instruction: div eax exception.module: nocry.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0xea15a5 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 0 registers.ebx: 15340987 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x269107 @ 0xf49107 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15340987 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x269107 @ 0xf49107 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x269107 @ 0xf49107 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x269107 @ 0xf49107 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15341030 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x269225 @ 0xf49225 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: f7 f0 e8 6c 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15a5 exception.instruction: div eax exception.module: nocry.exe exception.exception_code: 0xc0000094 exception.offset: 1840549 exception.address: 0xea15a5 registers.esp: 3995312 registers.edi: 15813288 registers.eax: 0 registers.ebp: 3995340 registers.edx: 0 registers.ebx: 10215424 registers.esi: 14409728 registers.ecx: 922746934	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x269225 @ 0xf49225 nocry+0x26a36f @ 0xf4a36f nocry+0x3625a8 @ 0x10425a8 exception.instruction_r: 0f 0b e8 41 40 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: nocry+0x1c15d0 exception.instruction: ud2 exception.module: nocry.exe exception.exception_code: 0xc000001d exception.offset: 1840592 exception.address: 0xea15d0 registers.esp: 3995312 registers.edi: 3995312 registers.eax: 0 registers.ebp: 3995340 registers.edx: 2 registers.ebx: 15340987 registers.esi: 0 registers.ecx: 3995348	1
__exception__ Jan. 6, 2024, 10:48 a.m.	stacktrace: nocry+0x26da3f @ 0xf4da3f IsRasmanProcess+0x2e1 RasAddNotification-0x32b rasman+0x2c4c @ 0x6fa62c4c IsRasmanProcess+0x41e RasAddNotification-0x1ee rasman+0x2d89 @ 0x6fa62d89 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 89 07 8d 45 ec 50 8b 45 ec 50 6a 04 57 a1 20 c0 exception.symbol: nocry+0x1c7956 exception.instruction: mov dword ptr [edi], eax exception.module: nocry.exe exception.exception_code: 0xc0000005 exception.offset: 1866070 exception.address: 0xea7956 registers.esp: 181402896 registers.edi: 1974800520 registers.eax: 15706756 registers.ebp: 181402956 registers.edx: 2130230260 registers.ebx: 15706748 registers.esi: 7 registers.ecx: 2134376448	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 198 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02554000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02564000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02564000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02584000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02594000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02594000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02594000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02594000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02594000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02594000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02594000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f30000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03020000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0299c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03161000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03162000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03163000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03164000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0299d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03165000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0316b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0316c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0316d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0316e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0316f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:48 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x041a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
file	C:\Users\test22\AppData\Local\Temp\jobA4rEjy6z7bpz51\sqlite3.dll

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
cmdline	"powershell" Get-MpPreference -verbose

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\jobA4rEjy6z7bpz51\sqlite3.dll

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM Win32_LogicalDisk WHERE DeviceID = 'C:'

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Jan. 6, 2024, 10:48 a.m.	thread_identifier: 2676 thread_handle: 0x000002d4 process_identifier: 2672 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" Get-MpPreference -verbose filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002e0	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 6, 2024, 10:48 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x00057800', u'virtual_address': u'0x00002000', u'entropy': 7.9993831852254305, u'name': u'', u'virtual_size': u'0x000d6000'}

entropy

7.99938318523

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0002fc00', u'virtual_address': u'0x000de000', u'entropy': 7.998617257272672, u'name': u'', u'virtual_size': u'0x0029e000'}

entropy

7.99861725727

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000efa00', u'virtual_address': u'0x0037c000', u'entropy': 7.974500833439296, u'name': u'.data', u'virtual_size': u'0x000f0000'}

entropy

7.97450083344

description

A section with a high entropy has been found

entropy

0.998003327787

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 6, 2024, 10:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Jan. 6, 2024, 10:48 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_LogicalDisk WHERE DeviceID = 'C:'

Communicates with host for which no DNS query was performed (1 event)

host

193.233.132.62

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Jan. 6, 2024, 10:48 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131	reg_value	C:\Users\test22\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Uses Sysinternals tools in order to add additional command line functionality (4 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
cmdline	"cmd.exe" /c schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Disables Windows Security features (8 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
MicroWorld-eScan	Gen:Variant.Jaik.208419
Skyhigh	BehavesLike.Win32.Generic.tc
McAfee	Artemis!D51470D48757
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.ins
CrowdStrike	win/malicious_confidence_90% (D)
BitDefenderTheta	Gen:NN.ZexaF.36680.Ez0@auPAfqj
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.EnigmaProtector.M suspicious
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Jaik.208419
Emsisoft	Gen:Variant.Jaik.208419 (B)
F-Secure	Heuristic.HEUR/AGEN.1306479
VIPRE	Gen:Variant.Jaik.208419
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
GData	Gen:Variant.Jaik.208419
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1306479
Kingsoft	Win32.Troj.Unknown.a
Arcabit	Trojan.Jaik.D32E23
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Backdoor:Win32/Bladabindi!ml
VBA32	Trojan.Wacatac
MAX	malware (ai score=87)
Zoner	Probably Heur.ExeHeaderL
Ikarus	Trojan.Dropper.Agent
Cybereason	malicious.f62a10
DeepInstinct	MALICIOUS

nocry.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All