Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 8, 2025, 1:42 p.m.	Jan. 8, 2025, 1:50 p.m.

Size	6.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`09bfd52dfee36db96073d2340182affc`
SHA256	`ed8d9fcde0da2f2a1f34cb3e963f963b989b714072fc73ea31f1ff409a597671`
CRC32	`6B250D29`
ssdeep	`196608:V4meP1uf0GbuJS3CSe0E2HuwSZS7QjE0I3yWDPq/M5k:VleEZiore0E2TSZSl1O/1`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file IsPE32 - (no description) UPX_Zero - UPX packed file

same.exe "C:\Users\test22\AppData\Local\Temp\same.exe"
184
- L3N25.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\L3N25.exe
  2108
  - M1f68.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\M1f68.exe
    2184
    - 1c55e8.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\1c55e8.exe
      2240
      - skotes.exe "C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe"
        2460
    - 2t8446.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\2t8446.exe
      2508
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.206	Active	Moloch
185.215.113.43	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (50 out of 61 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 8, 2025, 1:42 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:42 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:42 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:42 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:42 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:42 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (50 out of 360 events)

Time & API	Arguments	Status
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb 60 bd 14 b0 68 ee e9 00 02 00 00 da 65 c7 be exception.symbol: 1c55e8+0x6cbeb exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 445419 exception.address: 0x95cbeb registers.esp: 2881956 registers.edi: 0 registers.eax: 2881972 registers.ebp: 2881972 registers.edx: 2881964 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 bd 01 00 00 05 8d 30 db 7c e9 f9 fd ff ff exception.symbol: 1c55e8+0x6d853 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 448595 exception.address: 0x95d853 registers.esp: 2881920 registers.edi: 0 registers.eax: 26905 registers.ebp: 3999838228 registers.edx: 2881964 registers.ebx: 9818050 registers.esi: 0 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 56 50 c7 04 24 66 80 f5 7e 56 be 20 bf 4b 7f exception.symbol: 1c55e8+0x6d04b exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 446539 exception.address: 0x95d04b registers.esp: 2881924 registers.edi: 0 registers.eax: 26905 registers.ebp: 3999838228 registers.edx: 0 registers.ebx: 9821203 registers.esi: 604292951 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 51 54 e9 1b 01 00 00 8f 04 0f 50 e9 88 02 00 exception.symbol: 1c55e8+0x6e019 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 450585 exception.address: 0x95e019 registers.esp: 2881920 registers.edi: 9821636 registers.eax: 26065 registers.ebp: 3999838228 registers.edx: 1035166791 registers.ebx: 9821203 registers.esi: 604292951 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 57 51 c7 04 24 f6 ec f3 6f ff 0c 24 81 0c 24 exception.symbol: 1c55e8+0x6ddf9 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 450041 exception.address: 0x95ddf9 registers.esp: 2881924 registers.edi: 9847701 registers.eax: 26065 registers.ebp: 3999838228 registers.edx: 237801 registers.ebx: 9821203 registers.esi: 604292951 registers.ecx: 4294944004	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 56 89 1c 24 89 14 24 50 b8 f6 5e bf 7d 89 c2 exception.symbol: 1c55e8+0x1e8295 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 1999509 exception.address: 0xad8295 registers.esp: 2881920 registers.edi: 11370602 registers.eax: 26469 registers.ebp: 3999838228 registers.edx: 2130566132 registers.ebx: 16384250 registers.esi: 11353297 registers.ecx: 250	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 55 52 89 2c 24 bd 00 00 00 00 89 6c 24 04 5d exception.symbol: 1c55e8+0x1e8512 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2000146 exception.address: 0xad8512 registers.esp: 2881924 registers.edi: 11397071 registers.eax: 26469 registers.ebp: 3999838228 registers.edx: 2130566132 registers.ebx: 16384250 registers.esi: 11353297 registers.ecx: 250	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 52 89 3c 24 57 c7 04 24 da c6 6c 2f 8b 3c 24 exception.symbol: 1c55e8+0x1e8165 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 1999205 exception.address: 0xad8165 registers.esp: 2881924 registers.edi: 11397071 registers.eax: 26469 registers.ebp: 3999838228 registers.edx: 4294943400 registers.ebx: 16384250 registers.esi: 11353297 registers.ecx: 766697	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 55 51 56 be f8 31 3e 7f f7 d6 81 c6 9b d5 29 exception.symbol: 1c55e8+0x1eb2ea exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2011882 exception.address: 0xadb2ea registers.esp: 2881924 registers.edi: 3159952895 registers.eax: 30433 registers.ebp: 3999838228 registers.edx: 29491 registers.ebx: 11378234 registers.esi: 11411388 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 68 a6 6f c8 18 89 34 24 54 5e 81 c6 04 00 00 exception.symbol: 1c55e8+0x1eab77 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2009975 exception.address: 0xadab77 registers.esp: 2881924 registers.edi: 1792719185 registers.eax: 4294939604 registers.ebp: 3999838228 registers.edx: 29491 registers.ebx: 11378234 registers.esi: 11411388 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 68 1b 7b 3e 05 89 04 24 b8 11 00 9b 7c c1 e8 exception.symbol: 1c55e8+0x1eb7f1 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2013169 exception.address: 0xadb7f1 registers.esp: 2881920 registers.edi: 11384000 registers.eax: 27354 registers.ebp: 3999838228 registers.edx: 29491 registers.ebx: 11378234 registers.esi: 11411388 registers.ecx: 2021213347	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 f9 fc ff ff 5c 81 f3 09 65 ff 5e 51 b9 9f exception.symbol: 1c55e8+0x1eb904 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2013444 exception.address: 0xadb904 registers.esp: 2881924 registers.edi: 11411354 registers.eax: 134889 registers.ebp: 3999838228 registers.edx: 29491 registers.ebx: 11378234 registers.esi: 11411388 registers.ecx: 4294942548	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 96 fe 4c 4c 89 14 24 exception.symbol: 1c55e8+0x1f6dfa exception.instruction: in eax, dx exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2059770 exception.address: 0xae6dfa registers.esp: 2881916 registers.edi: 3813416 registers.eax: 1447909480 registers.ebp: 3999838228 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 11416281 registers.ecx: 20	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: 1c55e8+0x1f3c8e exception.address: 0xae3c8e exception.module: 1c55e8.exe exception.exception_code: 0xc000001d exception.offset: 2047118 registers.esp: 2881916 registers.edi: 3813416 registers.eax: 1 registers.ebp: 3999838228 registers.edx: 22104 registers.ebx: 0 registers.esi: 11416281 registers.ecx: 20	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 ae 38 2d 12 01 exception.symbol: 1c55e8+0x1f8051 exception.instruction: in eax, dx exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2064465 exception.address: 0xae8051 registers.esp: 2881916 registers.edi: 3813416 registers.eax: 1447909480 registers.ebp: 3999838228 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 11416281 registers.ecx: 10	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 55 e8 03 00 00 00 20 5d c3 5d exception.symbol: 1c55e8+0x1fbc5b exception.instruction: int 1 exception.module: 1c55e8.exe exception.exception_code: 0xc0000005 exception.offset: 2079835 exception.address: 0xaebc5b registers.esp: 2881884 registers.edi: 0 registers.eax: 2881884 registers.ebp: 3999838228 registers.edx: 1974842112 registers.ebx: 11451728 registers.esi: 43 registers.ecx: 63531	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 50 89 3c 24 c7 04 24 fa 32 2d 3d c1 2c 24 01 exception.symbol: 1c55e8+0x1fca47 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2083399 exception.address: 0xaeca47 registers.esp: 2881924 registers.edi: 3813416 registers.eax: 30378 registers.ebp: 3999838228 registers.edx: 11482842 registers.ebx: 24115702 registers.esi: 1729780417 registers.ecx: 1406009486	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 50 68 d3 50 e7 7f e9 e0 00 00 00 c1 e6 03 e9 exception.symbol: 1c55e8+0x1fc6e1 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2082529 exception.address: 0xaec6e1 registers.esp: 2881924 registers.edi: 6379 registers.eax: 0 registers.ebp: 3999838228 registers.edx: 11455418 registers.ebx: 24115702 registers.esi: 1729780417 registers.ecx: 1406009486	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 c9 00 00 00 c7 04 24 b2 31 df 6d ff 04 24 exception.symbol: 1c55e8+0x20c2e1 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2147041 exception.address: 0xafc2e1 registers.esp: 2881920 registers.edi: 9814658 registers.eax: 32357 registers.ebp: 3999838228 registers.edx: 6 registers.ebx: 24115921 registers.esi: 1971262480 registers.ecx: 11518564	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 68 5f 99 1e 04 89 3c 24 e9 1b 00 00 00 68 b3 exception.symbol: 1c55e8+0x20cb12 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2149138 exception.address: 0xafcb12 registers.esp: 2881924 registers.edi: 9814658 registers.eax: 32357 registers.ebp: 3999838228 registers.edx: 6 registers.ebx: 24115921 registers.esi: 1971262480 registers.ecx: 11550921	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 68 7b 0f 7b 32 89 2c 24 c7 04 24 84 a1 bb 1e exception.symbol: 1c55e8+0x20cde7 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2149863 exception.address: 0xafcde7 registers.esp: 2881924 registers.edi: 9814658 registers.eax: 2298801283 registers.ebp: 3999838228 registers.edx: 6 registers.ebx: 0 registers.esi: 1971262480 registers.ecx: 11521689	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 51 e9 cc fc ff ff 89 1c 24 89 24 24 e9 fa 01 exception.symbol: 1c55e8+0x21283e exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2172990 exception.address: 0xb0283e registers.esp: 2881916 registers.edi: 0 registers.eax: 28368 registers.ebp: 3999838228 registers.edx: 6 registers.ebx: 322689 registers.esi: 11545800 registers.ecx: 6	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 55 57 bf 65 14 d7 7b 81 c7 19 ed 1f b4 e9 f4 exception.symbol: 1c55e8+0x213321 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2175777 exception.address: 0xb03321 registers.esp: 2881912 registers.edi: 0 registers.eax: 31305 registers.ebp: 3999838228 registers.edx: 11546299 registers.ebx: 322689 registers.esi: 11545800 registers.ecx: 112522508	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 56 c7 04 24 00 7c exception.symbol: 1c55e8+0x213705 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2176773 exception.address: 0xb03705 registers.esp: 2881916 registers.edi: 0 registers.eax: 4294938568 registers.ebp: 3999838228 registers.edx: 11577604 registers.ebx: 3489708369 registers.esi: 11545800 registers.ecx: 112522508	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 51 e9 e0 fd ff ff 5c 01 d0 e9 00 00 00 00 5a exception.symbol: 1c55e8+0x2144be exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2180286 exception.address: 0xb044be registers.esp: 2881912 registers.edi: 0 registers.eax: 27616 registers.ebp: 3999838228 registers.edx: 998431699 registers.ebx: 244084348 registers.esi: 11549398 registers.ecx: 975087344	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 4a fe ff ff 68 1e 68 52 0e 89 0c 24 54 59 exception.symbol: 1c55e8+0x21418c exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2179468 exception.address: 0xb0418c registers.esp: 2881916 registers.edi: 0 registers.eax: 27616 registers.ebp: 3999838228 registers.edx: 998431699 registers.ebx: 244084348 registers.esi: 11577014 registers.ecx: 975087344	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 d3 f5 ff ff e9 48 01 00 00 00 00 00 00 00 exception.symbol: 1c55e8+0x214550 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2180432 exception.address: 0xb04550 registers.esp: 2881916 registers.edi: 84201 registers.eax: 27616 registers.ebp: 3999838228 registers.edx: 4294942364 registers.ebx: 244084348 registers.esi: 11577014 registers.ecx: 975087344	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 81 c6 e3 c9 76 7f 81 ee e6 4e 77 4f 03 34 24 exception.symbol: 1c55e8+0x237f4b exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2326347 exception.address: 0xb27f4b registers.esp: 2881880 registers.edi: 1971313652 registers.eax: 25796 registers.ebp: 3999838228 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 11696127 registers.ecx: 1406009344	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 ad 37 7b 5f 81 2c 24 d5 17 c7 51 exception.symbol: 1c55e8+0x238313 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2327315 exception.address: 0xb28313 registers.esp: 2881884 registers.edi: 1971313652 registers.eax: 25796 registers.ebp: 3999838228 registers.edx: 2130566132 registers.ebx: 4294944632 registers.esi: 11721923 registers.ecx: 2346917992	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 50 52 e9 7e ff ff ff 5b 2d d4 36 dc 07 89 c7 exception.symbol: 1c55e8+0x238c86 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2329734 exception.address: 0xb28c86 registers.esp: 2881884 registers.edi: 1971313652 registers.eax: 31565 registers.ebp: 3999838228 registers.edx: 2130566132 registers.ebx: 1191749163 registers.esi: 11731242 registers.ecx: 2113141983	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 e5 09 00 00 5b e9 7a 02 00 00 bd e4 bf 24 exception.symbol: 1c55e8+0x23868b exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2328203 exception.address: 0xb2868b registers.esp: 2881884 registers.edi: 2170180690 registers.eax: 31565 registers.ebp: 3999838228 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 11702466 registers.ecx: 2113141983	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 53 fe ff ff b8 fc de ec 97 57 52 89 c2 e9 exception.symbol: 1c55e8+0x23c252 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2343506 exception.address: 0xb2c252 registers.esp: 2881884 registers.edi: 0 registers.eax: 29594 registers.ebp: 3999838228 registers.edx: 2130566132 registers.ebx: 4085343840 registers.esi: 11717599 registers.ecx: 2142279028	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 52 e9 a3 f9 ff ff bf 91 9e f7 69 57 e9 82 00 exception.symbol: 1c55e8+0x23f6f1 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2356977 exception.address: 0xb2f6f1 registers.esp: 2881880 registers.edi: 11726066 registers.eax: 11726528 registers.ebp: 3999838228 registers.edx: 2130566132 registers.ebx: 737606814 registers.esi: 0 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 51 e9 7f ff ff ff ff 74 24 04 59 8f 04 24 5c exception.symbol: 1c55e8+0x23fa30 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2357808 exception.address: 0xb2fa30 registers.esp: 2881884 registers.edi: 11726066 registers.eax: 11758179 registers.ebp: 3999838228 registers.edx: 2130566132 registers.ebx: 737606814 registers.esi: 0 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 52 57 e9 8f 00 00 00 f7 d5 83 ec 04 89 3c 24 exception.symbol: 1c55e8+0x23f661 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2356833 exception.address: 0xb2f661 registers.esp: 2881884 registers.edi: 11726066 registers.eax: 11729735 registers.ebp: 3999838228 registers.edx: 0 registers.ebx: 737606814 registers.esi: 1042769 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 0b fb ff ff bb df 4f 52 05 81 eb 4f 0f a8 exception.symbol: 1c55e8+0x2404a3 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2360483 exception.address: 0xb304a3 registers.esp: 2881880 registers.edi: 11726066 registers.eax: 28123 registers.ebp: 3999838228 registers.edx: 957804675 registers.ebx: 11730158 registers.esi: 1042769 registers.ecx: 678829286	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb be 7d e5 77 4f 56 e9 06 ff ff ff 87 2c 24 81 exception.symbol: 1c55e8+0x2402dc exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2360028 exception.address: 0xb302dc registers.esp: 2881884 registers.edi: 11726066 registers.eax: 28123 registers.ebp: 3999838228 registers.edx: 957804675 registers.ebx: 11758281 registers.esi: 1042769 registers.ecx: 678829286	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 68 b4 97 78 5b 89 14 24 c7 04 24 d2 07 eb 4b exception.symbol: 1c55e8+0x23fee1 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2359009 exception.address: 0xb2fee1 registers.esp: 2881884 registers.edi: 11726066 registers.eax: 28123 registers.ebp: 3999838228 registers.edx: 957804675 registers.ebx: 11733229 registers.esi: 0 registers.ecx: 80171088	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 68 00 26 a5 27 89 34 24 c7 04 24 d9 1c 00 00 exception.symbol: 1c55e8+0x247c52 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2391122 exception.address: 0xb37c52 registers.esp: 2881884 registers.edi: 4007288038 registers.eax: 32318 registers.ebp: 3999838228 registers.edx: 11794912 registers.ebx: 65804 registers.esi: 11726066 registers.ecx: 1969225870	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 52 89 3c 24 83 ec 04 89 04 24 c7 04 24 19 3e exception.symbol: 1c55e8+0x2482d3 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2392787 exception.address: 0xb382d3 registers.esp: 2881884 registers.edi: 4007288038 registers.eax: 3939837675 registers.ebp: 3999838228 registers.edx: 11765372 registers.ebx: 65804 registers.esi: 11726066 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 68 28 d4 b3 24 89 3c 24 bf 12 62 fc 75 81 ef exception.symbol: 1c55e8+0x24932b exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2396971 exception.address: 0xb3932b registers.esp: 2881884 registers.edi: 11796788 registers.eax: 4294940136 registers.ebp: 3999838228 registers.edx: 269 registers.ebx: 1986116178 registers.esi: 11765983 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 d2 f6 ff ff 8b 1c 24 57 89 e7 81 c7 04 00 exception.symbol: 1c55e8+0x24a205 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2400773 exception.address: 0xb3a205 registers.esp: 2881884 registers.edi: 11796788 registers.eax: 28194 registers.ebp: 3999838228 registers.edx: 0 registers.ebx: 1732992832 registers.esi: 157417 registers.ecx: 11773308	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 68 dd ea 77 7b 89 2c 24 50 89 14 24 c7 04 24 exception.symbol: 1c55e8+0x25b2fa exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2470650 exception.address: 0xb4b2fa registers.esp: 2881884 registers.edi: 11817515 registers.eax: 27810 registers.ebp: 3999838228 registers.edx: 1302232 registers.ebx: 604292945 registers.esi: 11869541 registers.ecx: 4294942000	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb ba 00 b1 d6 7c 81 ec 04 00 00 00 e9 5e 00 00 exception.symbol: 1c55e8+0x25f68c exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2487948 exception.address: 0xb4f68c registers.esp: 2881884 registers.edi: 11817515 registers.eax: 29477 registers.ebp: 3999838228 registers.edx: 1302232 registers.ebx: 604292945 registers.esi: 11887510 registers.ecx: 4294942000	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 53 e9 7c fa ff ff 8b 0c 24 81 c4 04 00 00 00 exception.symbol: 1c55e8+0x25fc2f exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2489391 exception.address: 0xb4fc2f registers.esp: 2881884 registers.edi: 11817515 registers.eax: 29477 registers.ebp: 3999838228 registers.edx: 0 registers.ebx: 604292945 registers.esi: 11861062 registers.ecx: 3924003155	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 51 68 72 32 b3 71 89 24 24 53 bb 04 00 00 00 exception.symbol: 1c55e8+0x26f9fa exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2554362 exception.address: 0xb5f9fa registers.esp: 2881884 registers.edi: 4007476288 registers.eax: 29854 registers.ebp: 3999838228 registers.edx: 0 registers.ebx: 4009623121 registers.esi: 11928516 registers.ecx: 434720848	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 bf ae 99 5f 81 0c 24 52 d6 2f 7f exception.symbol: 1c55e8+0x27a134 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2597172 exception.address: 0xb6a134 registers.esp: 2881884 registers.edi: 3030468968 registers.eax: 32333 registers.ebp: 3999838228 registers.edx: 2130566132 registers.ebx: 11929928 registers.esi: 4294937528 registers.ecx: 11999066	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 bd 61 76 7f 7a 81 f5 2b 06 exception.symbol: 1c55e8+0x27e80b exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2615307 exception.address: 0xb6e80b registers.esp: 2881880 registers.edi: 3030468968 registers.eax: 31956 registers.ebp: 3999838228 registers.edx: 156 registers.ebx: 11986818 registers.esi: 4133012601 registers.ecx: 157	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 31 f6 52 e9 27 f7 ff ff ff 34 24 5d 83 c4 04 exception.symbol: 1c55e8+0x27f064 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2617444 exception.address: 0xb6f064 registers.esp: 2881884 registers.edi: 3030468968 registers.eax: 31956 registers.ebp: 3999838228 registers.edx: 156 registers.ebx: 12018774 registers.esi: 4133012601 registers.ecx: 157	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 55 68 9e 28 4e 37 5d 81 f5 7a d8 81 2d 50 b8 exception.symbol: 1c55e8+0x27eba6 exception.instruction: sti exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2616230 exception.address: 0xb6eba6 registers.esp: 2881884 registers.edi: 3030468968 registers.eax: 2298801283 registers.ebp: 3999838228 registers.edx: 156 registers.ebx: 12018774 registers.esi: 4294937796 registers.ecx: 157	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 96 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 425984 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73eb1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:35 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

skotes.exe tried to sleep 1097 seconds, actually delayed analysis time by 1097 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Jan. 8, 2025, 1:42 p.m.	number_of_free_clusters: 2423615 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 8, 2025, 1:42 p.m.	number_of_free_clusters: 2423615 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 8, 2025, 1:42 p.m.	number_of_free_clusters: 2421614 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 8, 2025, 1:42 p.m.	number_of_free_clusters: 2421614 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 8, 2025, 1:42 p.m.	number_of_free_clusters: 2420299 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 8, 2025, 1:42 p.m.	number_of_free_clusters: 2420299 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\3s26W.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\4W226f.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\2t8446.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\L3N25.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\1c55e8.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\M1f68.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\4W226f.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\3s26W.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\M1f68.exe
file	C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\L3N25.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 8, 2025, 1:42 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x006b3a00', u'virtual_address': u'0x0000c000', u'entropy': 7.99759447005136, u'name': u'.rsrc', u'virtual_size': u'0x006b4000'}

entropy

7.99759447005

description

A section with a high entropy has been found

entropy

0.995286439449

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Communicates with host for which no DNS query was performed (2 events)

host	185.215.113.206
host	185.215.113.43

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 363 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
file	C:\Windows\Tasks\skotes.job

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 96 fe 4c 4c 89 14 24 exception.symbol: 1c55e8+0x1f6dfa exception.instruction: in eax, dx exception.module: 1c55e8.exe exception.exception_code: 0xc0000096 exception.offset: 2059770 exception.address: 0xae6dfa registers.esp: 2881916 registers.edi: 3813416 registers.eax: 1447909480 registers.ebp: 3999838228 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 11416281 registers.ecx: 20	1	0	0

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Themida.vc
Cylance	Unsafe
VIPRE	Gen:Heur.Crifi.1
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Gen:Heur.Crifi.1
Arcabit	Trojan.Crifi.1
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
ClamAV	Win.Downloader.Amadey-9986882-0
Kaspersky	UDS:Trojan-PSW.Win32.Stealerc.piw
MicroWorld-eScan	Gen:Heur.Crifi.1
Rising	Trojan.Agent!1.1074D (CLASSIC)
Emsisoft	Gen:Heur.Crifi.1 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
DrWeb	Trojan.Packed2.48355
Zillya	Trojan.AgentGen.Win32.94
TrendMicro	TrojanSpy.Win32.LUMMASTEALER.YXFAGZ
Trapmine	malicious.high.ml.score
CTX	exe.unknown.crifi
Sophos	Mal/Amadey-D
SentinelOne	Static AI - Malicious SFX
FireEye	Generic.mg.09bfd52dfee36db9
Google	Detected
Avira	TR/Crypt.TPM.Gen
Kingsoft	malware.kb.a.955
Gridinsoft	Spy.Win32.Redline.lu!heur
Microsoft	Program:Win32/Wacapew.C!ml
GData	Gen:Heur.Crifi.1
Varist	W32/Kryptik.JKR.gen!Eldorado
McAfee	Artemis!9382CD7E6CEB
Malwarebytes	Disabler.Trojan.MSIL.DDS
Ikarus	Trojan.MSIL.Disabler
Zoner	Probably Heur.ExeHeaderL
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Themida.HZB!tr
AVG	Win32:Evo-gen [Trj]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	185.215.113.206:80
dead_host	185.215.113.43:80

same.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All