Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 18, 2024, 9:31 a.m.	Nov. 18, 2024, 9:33 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d53d71d4a90c1cf70320d01ce454b13d`
SHA256	`9fbeae0f902a6f9ab7ba606d20966299a2a0354926bc11ca4a8253bf231ee438`
CRC32	`73C310A5`
ssdeep	`49152:B5fuGy0t6ZfJ0irESRmxNoWjvulqnHaJVqI:BFhVtK/oSuNoWjF6JYI`
Yara	themida_packer - themida packer Admin_Tool_IN_Zero - Admin Tool Sysinternals IsPE32 - (no description) PE_Header_Zero - PE File Signature

nicko.exe "C:\Users\test22\AppData\Local\Temp\nicko.exe"
1680

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 18, 2024, 9:31 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (7 events)

section	\x00
section	.rsrc
section	.idata
section
section	kbtdscur
section	zqssdchj
section	.taggant

One or more processes crashed (50 out of 105 events)

Time & API	Arguments	Status
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: nicko+0x3160b9 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 3236025 exception.address: 0x6c60b9 registers.esp: 2883044 registers.edi: 0 registers.eax: 1 registers.ebp: 2883060 registers.edx: 8851456 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 55 51 e9 73 02 00 00 89 e0 e9 1a 00 00 00 bf exception.symbol: nicko+0x5ee3c exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 388668 exception.address: 0x40ee3c registers.esp: 2883012 registers.edi: 1971192040 registers.eax: 604292951 registers.ebp: 3994275860 registers.edx: 3866624 registers.ebx: 34731 registers.esi: 4294939128 registers.ecx: 4285811	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 51 53 68 1b 19 33 23 89 0c 24 b9 ac 1f ff 7f exception.symbol: nicko+0x5fcbd exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 392381 exception.address: 0x40fcbd registers.esp: 2883012 registers.edi: 1971192040 registers.eax: 32368 registers.ebp: 3994275860 registers.edx: 327927761 registers.ebx: 4294937932 registers.esi: 4290511 registers.ecx: 237801	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 52 53 bb 5a af e7 67 ba a9 f7 20 34 31 da 8b exception.symbol: nicko+0x1e6f38 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 1994552 exception.address: 0x596f38 registers.esp: 2883008 registers.edi: 4294269 registers.eax: 26274 registers.ebp: 3994275860 registers.edx: 2130566132 registers.ebx: 5860809 registers.esi: 5844076 registers.ecx: 953	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 31 ff ff 34 1f 8b 04 24 56 89 e6 52 89 1c 24 exception.symbol: nicko+0x1e751e exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 1996062 exception.address: 0x59751e registers.esp: 2883012 registers.edi: 4294269 registers.eax: 26274 registers.ebp: 3994275860 registers.edx: 2130566132 registers.ebx: 5887083 registers.esi: 5844076 registers.ecx: 953	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 57 e9 8f ff ff ff b9 98 b8 fa 7f 81 e9 32 48 exception.symbol: nicko+0x1e72cf exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 1995471 exception.address: 0x5972cf registers.esp: 2883012 registers.edi: 4294943788 registers.eax: 119529 registers.ebp: 3994275860 registers.edx: 2130566132 registers.ebx: 5887083 registers.esi: 5844076 registers.ecx: 953	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 55 51 b9 d4 e8 5b 57 81 e9 43 3a f3 74 51 ff exception.symbol: nicko+0x1e8bfd exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2001917 exception.address: 0x598bfd registers.esp: 2883008 registers.edi: 4294943788 registers.eax: 31368 registers.ebp: 3994275860 registers.edx: 2130566132 registers.ebx: 5887083 registers.esi: 5844076 registers.ecx: 5867079	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 68 9f cb 77 28 89 04 24 c7 04 24 7c 7f be 4c exception.symbol: nicko+0x1e8a9e exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2001566 exception.address: 0x598a9e registers.esp: 2883012 registers.edi: 4294943788 registers.eax: 1549541099 registers.ebp: 3994275860 registers.edx: 2130566132 registers.ebx: 5887083 registers.esi: 0 registers.ecx: 5870367	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 68 a3 95 b8 36 e9 62 f8 ff ff 53 e9 1d f5 ff exception.symbol: nicko+0x1f142d exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2036781 exception.address: 0x5a142d registers.esp: 2883012 registers.edi: 13250159 registers.eax: 5932374 registers.ebp: 3994275860 registers.edx: 55920 registers.ebx: 5870393 registers.esi: 1114345 registers.ecx: 4294939084	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 10 cc ff ff 8d 85 ec exception.symbol: nicko+0x1f838c exception.instruction: in eax, dx exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2065292 exception.address: 0x5a838c registers.esp: 2883004 registers.edi: 13250159 registers.eax: 1447909480 registers.ebp: 3994275860 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 5908326 registers.ecx: 20	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: nicko+0x1f5215 exception.address: 0x5a5215 exception.module: nicko.exe exception.exception_code: 0xc000001d exception.offset: 2052629 registers.esp: 2883004 registers.edi: 13250159 registers.eax: 1 registers.ebp: 3994275860 registers.edx: 22104 registers.ebx: 0 registers.esi: 5908326 registers.ecx: 20	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 7c 38 2d 12 01 exception.symbol: nicko+0x1f7615 exception.instruction: in eax, dx exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2061845 exception.address: 0x5a7615 registers.esp: 2883004 registers.edi: 13250159 registers.eax: 1447909480 registers.ebp: 3994275860 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 5908326 registers.ecx: 10	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb e9 1c 03 00 00 81 eb e5 e1 59 7b e9 bc f6 ff exception.symbol: nicko+0x1fb830 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2078768 exception.address: 0x5ab830 registers.esp: 2883012 registers.edi: 13250159 registers.eax: 28546 registers.ebp: 3994275860 registers.edx: 5971457 registers.ebx: 21714796 registers.esi: 10 registers.ecx: 774111232	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 e9 be 05 00 00 81 ed 92 41 exception.symbol: nicko+0x1fb434 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2077748 exception.address: 0x5ab434 registers.esp: 2883012 registers.edi: 13250159 registers.eax: 3091903072 registers.ebp: 3994275860 registers.edx: 5971457 registers.ebx: 4294942112 registers.esi: 10 registers.ecx: 774111232	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 55 e8 03 00 00 00 20 5d c3 5d exception.symbol: nicko+0x1fbdb1 exception.instruction: int 1 exception.module: nicko.exe exception.exception_code: 0xc0000005 exception.offset: 2080177 exception.address: 0x5abdb1 registers.esp: 2882972 registers.edi: 0 registers.eax: 2882972 registers.ebp: 3994275860 registers.edx: 2122909768 registers.ebx: 5947049 registers.esi: 2012932996 registers.ecx: 4294962052	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 56 89 e6 53 bb 90 c6 f9 7e 50 b8 8c c6 f9 7e exception.symbol: nicko+0x203490 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2110608 exception.address: 0x5b3490 registers.esp: 2883012 registers.edi: 6006287 registers.eax: 29801 registers.ebp: 3994275860 registers.edx: 654654 registers.ebx: 1316542065 registers.esi: 10 registers.ecx: 5947532	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb ba ff e8 ff 2f e9 00 00 00 00 50 b8 40 a3 7f exception.symbol: nicko+0x203d3c exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2112828 exception.address: 0x5b3d3c registers.esp: 2883012 registers.edi: 5979539 registers.eax: 29801 registers.ebp: 3994275860 registers.edx: 654654 registers.ebx: 0 registers.esi: 322689 registers.ecx: 5947532	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 50 89 14 24 57 e9 66 00 00 00 89 04 24 89 3c exception.symbol: nicko+0x20eaba exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2157242 exception.address: 0x5beaba registers.esp: 2883004 registers.edi: 6026654 registers.eax: 27746 registers.ebp: 3994275860 registers.edx: 6 registers.ebx: 66281 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb e9 5c 00 00 00 c1 e7 07 e9 92 01 00 00 81 cf exception.symbol: nicko+0x212648 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2172488 exception.address: 0x5c2648 registers.esp: 2883004 registers.edi: 6026654 registers.eax: 26971 registers.ebp: 3994275860 registers.edx: 6063833 registers.ebx: 1436097536 registers.esi: 1971262480 registers.ecx: 1963254922	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 68 de 8c fa 66 89 0c 24 89 e1 e9 75 00 00 00 exception.symbol: nicko+0x2122da exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2171610 exception.address: 0x5c22da registers.esp: 2883004 registers.edi: 6026654 registers.eax: 2443636840 registers.ebp: 3994275860 registers.edx: 6063833 registers.ebx: 4294943556 registers.esi: 1971262480 registers.ecx: 1963254922	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 55 e9 d2 05 00 00 87 2c 24 5c 89 0c 24 81 ec exception.symbol: nicko+0x216da4 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2190756 exception.address: 0x5c6da4 registers.esp: 2883000 registers.edi: 6026654 registers.eax: 30375 registers.ebp: 3994275860 registers.edx: 2130566132 registers.ebx: 156930289 registers.esi: 6056779 registers.ecx: 774111232	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb e9 71 02 00 00 81 c4 04 00 00 00 50 89 e0 e9 exception.symbol: nicko+0x216cd5 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2190549 exception.address: 0x5c6cd5 registers.esp: 2883004 registers.edi: 1783979243 registers.eax: 30375 registers.ebp: 3994275860 registers.edx: 4294939856 registers.ebx: 156930289 registers.esi: 6087154 registers.ecx: 774111232	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 04 24 e9 9e f4 ff ff 5a 83 eb 04 exception.symbol: nicko+0x23754a exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2323786 exception.address: 0x5e754a registers.esp: 2882972 registers.edi: 6183190 registers.eax: 31987 registers.ebp: 3994275860 registers.edx: 116969 registers.ebx: 0 registers.esi: 6190564 registers.ecx: 0	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb e9 84 07 00 00 ff 74 24 04 58 8f 04 24 5f 87 exception.symbol: nicko+0x23b3a3 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2339747 exception.address: 0x5eb3a3 registers.esp: 2882968 registers.edi: 6192572 registers.eax: 27490 registers.ebp: 3994275860 registers.edx: 342406836 registers.ebx: 6206110 registers.esi: 4010452632 registers.ecx: 348609507	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb e9 64 01 00 00 5e 58 e9 00 00 00 00 2d 96 9e exception.symbol: nicko+0x23ba73 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2341491 exception.address: 0x5eba73 registers.esp: 2882972 registers.edi: 6192572 registers.eax: 27490 registers.ebp: 3994275860 registers.edx: 342406836 registers.ebx: 6233600 registers.esi: 19982673 registers.ecx: 4294942404	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 57 52 ba ad 48 fe 5f bf 5f 23 fa b0 29 d7 5a exception.symbol: nicko+0x23c18a exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2343306 exception.address: 0x5ec18a registers.esp: 2882968 registers.edi: 6192572 registers.eax: 6209051 registers.ebp: 3994275860 registers.edx: 342406836 registers.ebx: 1922360853 registers.esi: 19982673 registers.ecx: 4294942404	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 68 e5 ad 00 31 89 3c 24 e9 bb 00 00 00 81 cf exception.symbol: nicko+0x23be69 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2342505 exception.address: 0x5ebe69 registers.esp: 2882972 registers.edi: 6192572 registers.eax: 6236518 registers.ebp: 3994275860 registers.edx: 4294942656 registers.ebx: 3800650326 registers.esi: 19982673 registers.ecx: 4294942404	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 68 04 38 f7 29 89 1c 24 c7 04 24 6a 86 39 41 exception.symbol: nicko+0x23cd0c exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2346252 exception.address: 0x5ecd0c registers.esp: 2882972 registers.edi: 6192572 registers.eax: 32001 registers.ebp: 3994275860 registers.edx: 6215492 registers.ebx: 754065351 registers.esi: 0 registers.ecx: 604277074	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 53 83 ec 04 89 14 24 57 e9 30 ff ff ff bd 19 exception.symbol: nicko+0x23f075 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2355317 exception.address: 0x5ef075 registers.esp: 2882972 registers.edi: 3998068136 registers.eax: 32625 registers.ebp: 3994275860 registers.edx: 6224555 registers.ebx: 44777 registers.esi: 0 registers.ecx: 521750308	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 68 37 49 ff 53 e9 1d f8 ff ff exception.symbol: nicko+0x245ac2 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2382530 exception.address: 0x5f5ac2 registers.esp: 2882972 registers.edi: 3998068136 registers.eax: 74473 registers.ebp: 3994275860 registers.edx: 4294939780 registers.ebx: 4261380 registers.esi: 6277099 registers.ecx: 1969225870	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb b8 e9 8f 3f 5f c1 e8 05 48 e9 de 02 00 00 52 exception.symbol: nicko+0x246040 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2383936 exception.address: 0x5f6040 registers.esp: 2882972 registers.edi: 3998068136 registers.eax: 4294942528 registers.ebp: 3994275860 registers.edx: 6277774 registers.ebx: 3939837675 registers.esi: 6277099 registers.ecx: 1969225870	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 68 f6 c9 4f 89 04 24 c7 04 24 c4 exception.symbol: nicko+0x2473db exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2388955 exception.address: 0x5f73db registers.esp: 2882968 registers.edi: 6253995 registers.eax: 28325 registers.ebp: 3994275860 registers.edx: 1252781151 registers.ebx: 6255300 registers.esi: 6253618 registers.ecx: 26695	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 56 89 04 24 e9 fa fd ff ff 81 f2 c5 29 62 41 exception.symbol: nicko+0x2479cb exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2390475 exception.address: 0x5f79cb registers.esp: 2882972 registers.edi: 6253995 registers.eax: 28325 registers.ebp: 3994275860 registers.edx: 1252781151 registers.ebx: 6283625 registers.esi: 6253618 registers.ecx: 26695	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 9c 0b f9 7a e9 b8 02 00 00 5e 83 exception.symbol: nicko+0x247536 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2389302 exception.address: 0x5f7536 registers.esp: 2882972 registers.edi: 4294941712 registers.eax: 28325 registers.ebp: 3994275860 registers.edx: 1252781151 registers.ebx: 6283625 registers.esi: 2179172691 registers.ecx: 26695	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 52 89 0c 24 e9 6c f9 ff ff 83 c4 04 ff 37 ff exception.symbol: nicko+0x256e0a exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2453002 exception.address: 0x606e0a registers.esp: 2882972 registers.edi: 6320823 registers.eax: 322689 registers.ebp: 3994275860 registers.edx: 1761208 registers.ebx: 6293875 registers.esi: 0 registers.ecx: 774111232	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 e9 1f 00 00 00 81 exception.symbol: nicko+0x25f092 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2486418 exception.address: 0x60f092 registers.esp: 2882968 registers.edi: 0 registers.eax: 6351561 registers.ebp: 3994275860 registers.edx: 111399269 registers.ebx: 6322286 registers.esi: 3850220 registers.ecx: 0	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 68 c6 33 64 4e 89 04 24 e9 e3 00 00 00 81 ef exception.symbol: nicko+0x25eecf exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2485967 exception.address: 0x60eecf registers.esp: 2882972 registers.edi: 0 registers.eax: 6382833 registers.ebp: 3994275860 registers.edx: 111399269 registers.ebx: 6322286 registers.esi: 3850220 registers.ecx: 0	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 53 51 e9 b6 07 00 00 8b 0c 24 83 c4 04 c1 ea exception.symbol: nicko+0x25ecde exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2485470 exception.address: 0x60ecde registers.esp: 2882972 registers.edi: 0 registers.eax: 6354213 registers.ebp: 3994275860 registers.edx: 111399269 registers.ebx: 0 registers.esi: 3850220 registers.ecx: 280646224	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 55 68 a7 f3 6f 7f 5d 01 ef 8b 2c 24 81 c4 04 exception.symbol: nicko+0x26de18 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2547224 exception.address: 0x61de18 registers.esp: 2882968 registers.edi: 6413663 registers.eax: 32082 registers.ebp: 3994275860 registers.edx: 1761208 registers.ebx: 1969225702 registers.esi: 3850220 registers.ecx: 774111232	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb e9 f7 00 00 00 5a e9 28 fe ff ff 8b 24 24 e9 exception.symbol: nicko+0x26e0bc exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2547900 exception.address: 0x61e0bc registers.esp: 2882972 registers.edi: 6445745 registers.eax: 32082 registers.ebp: 3994275860 registers.edx: 1761208 registers.ebx: 1969225702 registers.esi: 3850220 registers.ecx: 774111232	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 50 89 3c 24 bf 77 8a 7f 7e e9 d9 00 00 00 5f exception.symbol: nicko+0x26de02 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2547202 exception.address: 0x61de02 registers.esp: 2882972 registers.edi: 6417009 registers.eax: 32082 registers.ebp: 3994275860 registers.edx: 1761208 registers.ebx: 1969225702 registers.esi: 0 registers.ecx: 604277075	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 68 21 71 6c 53 89 04 24 54 8b 04 24 53 89 e3 exception.symbol: nicko+0x27dedb exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2612955 exception.address: 0x62dedb registers.esp: 2882968 registers.edi: 0 registers.eax: 28553 registers.ebp: 3994275860 registers.edx: 111399269 registers.ebx: 6453761 registers.esi: 3850220 registers.ecx: 6476839	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb e9 28 01 00 00 81 e9 9b 22 ed 54 29 d9 81 c1 exception.symbol: nicko+0x27d811 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2611217 exception.address: 0x62d811 registers.esp: 2882972 registers.edi: 0 registers.eax: 28553 registers.ebp: 3994275860 registers.edx: 111399269 registers.ebx: 6453761 registers.esi: 3850220 registers.ecx: 6505392	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 53 57 bf 73 c1 f2 7e c1 e7 04 e9 82 ff ff ff exception.symbol: nicko+0x27dc21 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2612257 exception.address: 0x62dc21 registers.esp: 2882972 registers.edi: 0 registers.eax: 3652295272 registers.ebp: 3994275860 registers.edx: 111399269 registers.ebx: 6453761 registers.esi: 0 registers.ecx: 6480216	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 9a e5 fb 77 f7 1c 24 ff 04 24 e9 exception.symbol: nicko+0x27e705 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2615045 exception.address: 0x62e705 registers.esp: 2882972 registers.edi: 0 registers.eax: 31704 registers.ebp: 3994275860 registers.edx: 0 registers.ebx: 6483580 registers.esi: 0 registers.ecx: 2170180690	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 68 9b 73 6a 0c 89 3c 24 c7 04 24 27 97 ef 3b exception.symbol: nicko+0x28f679 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2684537 exception.address: 0x63f679 registers.esp: 2882972 registers.edi: 0 registers.eax: 31657 registers.ebp: 3994275860 registers.edx: 4294938960 registers.ebx: 6484932 registers.esi: 3967899473 registers.ecx: 6582350	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb e9 b2 f5 ff ff 29 d0 5a e9 0d 00 00 00 b8 48 exception.symbol: nicko+0x290d99 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2690457 exception.address: 0x640d99 registers.esp: 2882968 registers.edi: 6554429 registers.eax: 29031 registers.ebp: 3994275860 registers.edx: 1784776908 registers.ebx: 6484932 registers.esi: 3967899473 registers.ecx: 6582350	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 55 50 89 e0 05 04 00 00 00 2d 04 00 00 00 87 exception.symbol: nicko+0x2903ac exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2687916 exception.address: 0x6403ac registers.esp: 2882972 registers.edi: 6583460 registers.eax: 29031 registers.ebp: 3994275860 registers.edx: 1784776908 registers.ebx: 6484932 registers.esi: 3967899473 registers.ecx: 6582350	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 56 e9 1e 01 00 00 2d 28 6e fc 0e e9 e3 00 00 exception.symbol: nicko+0x2908e1 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2689249 exception.address: 0x6408e1 registers.esp: 2882972 registers.edi: 6557236 registers.eax: 1857574760 registers.ebp: 3994275860 registers.edx: 1784776908 registers.ebx: 0 registers.esi: 3967899473 registers.ecx: 6582350	1
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 68 75 f2 df 6f 8b exception.symbol: nicko+0x29a943 exception.instruction: sti exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2730307 exception.address: 0x64a943 registers.esp: 2882972 registers.edi: 6597793 registers.eax: 565858902 registers.ebp: 3994275860 registers.edx: 395049983 registers.ebx: 0 registers.esi: 6239615 registers.ecx: 3738837507	1

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02310000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2024, 9:31 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00027800', u'virtual_address': u'0x00001000', u'entropy': 7.983638178986072, u'name': u' \\x00 ', u'virtual_size': u'0x0005a000'}

entropy

7.98363817899

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a9600', u'virtual_address': u'0x00316000', u'entropy': 7.95425652968996, u'name': u'kbtdscur', u'virtual_size': u'0x001aa000'}

entropy

7.95425652969

description

A section with a high entropy has been found

entropy

0.994385026738

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (17 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 18, 2024, 9:31 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 18, 2024, 9:31 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 10 cc ff ff 8d 85 ec exception.symbol: nicko+0x1f838c exception.instruction: in eax, dx exception.module: nicko.exe exception.exception_code: 0xc0000096 exception.offset: 2065292 exception.address: 0x5a838c registers.esp: 2883004 registers.edi: 13250159 registers.eax: 1447909480 registers.ebp: 3994275860 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 5908326 registers.ecx: 20	1	0	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Themida.4!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Trojan.GenericKD.74840119
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74840119
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.74840119
Arcabit	Trojan.Generic.D475F837
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Miner.vho
Alibaba	Trojan:Win32/Miner.1203dc29
MicroWorld-eScan	Trojan.GenericKD.74840119
Rising	Trojan.Kryptik@AI.81 (RDML:sy6C9GZ92HEGFvHmtHGEOQ)
Emsisoft	Trojan.GenericKD.74840119 (B)
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
McAfeeD	Real Protect-LS!D53D71D4A90C
Trapmine	malicious.high.ml.score
CTX	exe.trojan.themida
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.d53d71d4a90c1cf7
Google	Detected
Avira	TR/Crypt.ZPACK.Gen
Kingsoft	Win32.HeurC.KVMH008.a
Gridinsoft	Trojan.Heur!.03A120A1
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
ZoneAlarm	HEUR:Trojan.Win32.Miner.vho
GData	Trojan.GenericKD.74840119
Varist	W32/Themida.CT.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.C5695130
McAfee	Artemis!D53D71D4A90C
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Amadey
Ikarus	Trojan.Win32.Themida
Panda	Trj/Chgt.AD
Zoner	Probably Heur.ExeHeaderL
Tencent	Trojan-DL.Win32.Deyma.kh
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml

nicko.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All