Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 8, 2025, 1:42 p.m.	Jan. 8, 2025, 1:47 p.m.

Size	6.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c2e8e44c11c1001f4072f7733187351c`
SHA256	`41ab23b309e21c17e71486a8f7d25274be8b54e8667d49a0cce8bd5867fd9012`
CRC32	`397B9DFE`
ssdeep	`196608:dwm6ZmEfC8bbptno9JPNoVez8rLAdtyI6uZZ/C1IAnyBsaMws5Wk1:W7C8bLo9JP4fAbyNum13FaJs5`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet anti_vm_detect - Possibly employs anti-virtualization techniques CAB_file_format - CAB archive file IsPE32 - (no description) UPX_Zero - UPX packed file

none.exe "C:\Users\test22\AppData\Local\Temp\none.exe"
2060
- J2Q03.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\J2Q03.exe
  2116
  - D9H54.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\D9H54.exe
    2168
    - 1x90B2.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\1x90B2.exe
      2240
      - skotes.exe "C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe"
        2464
    - 2O0574.exe C:\Users\test22\AppData\Local\Temp\IXP002.TMP\2O0574.exe
      2508
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.206	Active	Moloch
185.215.113.43	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (50 out of 51 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 8, 2025, 1:42 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:42 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:42 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:42 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:42 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:43 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0
IsDebuggerPresent Jan. 8, 2025, 1:44 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (50 out of 350 events)

Time & API	Arguments	Status
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb 60 bd 14 b0 5a ee e9 00 02 00 00 a4 0e d0 00 exception.symbol: 1x90b2+0x6cc97 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 445591 exception.address: 0x87cc97 registers.esp: 4586080 registers.edi: 0 registers.eax: 4586096 registers.ebp: 4586096 registers.edx: 4586088 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 81 ee b2 88 a6 1e 81 c6 ca b9 c9 69 53 56 68 exception.symbol: 1x90b2+0x6d6c4 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 448196 exception.address: 0x87d6c4 registers.esp: 4586044 registers.edi: 0 registers.eax: 29227 registers.ebp: 3998920724 registers.edx: 4586088 registers.ebx: 2130567168 registers.esi: 8900573 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 51 b9 97 18 77 3f 81 f1 ea cb c0 64 e9 00 00 exception.symbol: 1x90b2+0x6dccc exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 449740 exception.address: 0x87dccc registers.esp: 4586048 registers.edi: 0 registers.eax: 4294941588 registers.ebp: 3998920724 registers.edx: 2298801283 registers.ebx: 2130567168 registers.esi: 8929800 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 cd f4 ff ff 5f 81 e7 32 23 9f 37 81 c7 95 exception.symbol: 1x90b2+0x6eaf2 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 453362 exception.address: 0x87eaf2 registers.esp: 4586048 registers.edi: 8930189 registers.eax: 25710 registers.ebp: 3998920724 registers.edx: 789698905 registers.ebx: 985779852 registers.esi: 8929800 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 ab f8 ff ff be 3d de 76 5d 31 f3 5e 81 eb exception.symbol: 1x90b2+0x6e8d2 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 452818 exception.address: 0x87e8d2 registers.esp: 4586048 registers.edi: 8907621 registers.eax: 25710 registers.ebp: 3998920724 registers.edx: 235753 registers.ebx: 985779852 registers.esi: 8929800 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 68 31 8b 99 20 89 0c 24 52 c7 04 24 87 97 e7 exception.symbol: 1x90b2+0x1df0fc exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 1962236 exception.address: 0x9ef0fc registers.esp: 4586048 registers.edi: 8940750 registers.eax: 26468 registers.ebp: 3998920724 registers.edx: 2130566132 registers.ebx: 4294943536 registers.esi: 89833 registers.ecx: 10442077	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 92 01 00 00 5d c1 ed 08 81 c5 32 de 5f 27 exception.symbol: 1x90b2+0x1e178e exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 1972110 exception.address: 0x9f178e registers.esp: 4586044 registers.edi: 1971278790 registers.eax: 26491 registers.ebp: 3998920724 registers.edx: 10425465 registers.ebx: 10423275 registers.esi: 1971289089 registers.ecx: 21	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 50 57 e9 87 01 00 00 68 d5 2a d3 03 89 1c 24 exception.symbol: 1x90b2+0x1e1585 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 1971589 exception.address: 0x9f1585 registers.esp: 4586048 registers.edi: 0 registers.eax: 26491 registers.ebp: 3998920724 registers.edx: 10428768 registers.ebx: 10423275 registers.esi: 1259 registers.ecx: 21	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 ad 00 00 00 05 b0 c0 bf 1f 51 b9 exception.symbol: 1x90b2+0x1e8006 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 1998854 exception.address: 0x9f8006 registers.esp: 4586044 registers.edi: 0 registers.eax: 30322 registers.ebp: 3998920724 registers.edx: 1246794329 registers.ebx: 2001669120 registers.esi: 10452062 registers.ecx: 14288	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 53 e9 8e 06 00 00 05 d2 9b f7 6d e9 ca 03 00 exception.symbol: 1x90b2+0x1e7d00 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 1998080 exception.address: 0x9f7d00 registers.esp: 4586048 registers.edi: 0 registers.eax: 202985 registers.ebp: 3998920724 registers.edx: 1246794329 registers.ebx: 2001669120 registers.esi: 10455096 registers.ecx: 14288	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 50 68 8f 4c fd 69 89 24 exception.symbol: 1x90b2+0x1eccda exception.instruction: in eax, dx exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2018522 exception.address: 0x9fccda registers.esp: 4586040 registers.edi: 12922920 registers.eax: 1447909480 registers.ebp: 3998920724 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 10461459 registers.ecx: 20	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: 1x90b2+0x1ecfcb exception.address: 0x9fcfcb exception.module: 1x90B2.exe exception.exception_code: 0xc000001d exception.offset: 2019275 registers.esp: 4586040 registers.edi: 12922920 registers.eax: 1 registers.ebp: 3998920724 registers.edx: 22104 registers.ebx: 0 registers.esi: 10461459 registers.ecx: 20	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 ce 3b 2d 12 01 exception.symbol: 1x90b2+0x1ef219 exception.instruction: in eax, dx exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2028057 exception.address: 0x9ff219 registers.esp: 4586040 registers.edi: 12922920 registers.eax: 1447909480 registers.ebp: 3998920724 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 10461459 registers.ecx: 10	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 0a f3 fd 7f ff 04 24 81 2c 24 16 exception.symbol: 1x90b2+0x1f3031 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2043953 exception.address: 0xa03031 registers.esp: 4586048 registers.edi: 12922920 registers.eax: 32863 registers.ebp: 3998920724 registers.edx: 2130566132 registers.ebx: 24115812 registers.esi: 10 registers.ecx: 10528329	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 52 53 bb 3b 53 a8 3b e9 0a 01 00 00 89 14 24 exception.symbol: 1x90b2+0x1f2e79 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2043513 exception.address: 0xa02e79 registers.esp: 4586048 registers.edi: 12922920 registers.eax: 0 registers.ebp: 3998920724 registers.edx: 6379 registers.ebx: 24115812 registers.esi: 10 registers.ecx: 10498801	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 b5 8c b9 75 5d 69 2a 64 8f 05 00 00 exception.symbol: 1x90b2+0x1f376d exception.instruction: int 1 exception.module: 1x90B2.exe exception.exception_code: 0xc0000005 exception.offset: 2045805 exception.address: 0xa0376d registers.esp: 4586008 registers.edi: 0 registers.eax: 4586008 registers.ebp: 3998920724 registers.edx: 25730 registers.ebx: 10500111 registers.esi: 23706 registers.ecx: 10498640	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 31 db ff 34 18 ff 34 24 8b 0c 24 e9 00 00 00 exception.symbol: 1x90b2+0x201fdb exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2105307 exception.address: 0xa11fdb registers.esp: 4586048 registers.edi: 8896550 registers.eax: 10583412 registers.ebp: 3998920724 registers.edx: 6 registers.ebx: 24116031 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 3d 02 00 00 5a 8b 04 24 53 e9 e9 07 00 00 exception.symbol: 1x90b2+0x2016b7 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2102967 exception.address: 0xa116b7 registers.esp: 4586048 registers.edi: 8896550 registers.eax: 10583412 registers.ebp: 3998920724 registers.edx: 6 registers.ebx: 4294943456 registers.esi: 1971262480 registers.ecx: 792553	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 a0 ff ff ff 05 04 00 00 00 33 04 24 31 04 exception.symbol: 1x90b2+0x2079d0 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2128336 exception.address: 0xa179d0 registers.esp: 4586040 registers.edi: 8896550 registers.eax: 26538 registers.ebp: 3998920724 registers.edx: 223319431 registers.ebx: 4294943456 registers.esi: 1971262480 registers.ecx: 10606905	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 52 89 e2 81 c2 04 00 00 00 e9 32 fd ff ff 81 exception.symbol: 1x90b2+0x2074e2 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2127074 exception.address: 0xa174e2 registers.esp: 4586040 registers.edi: 59730 registers.eax: 26538 registers.ebp: 3998920724 registers.edx: 4294943516 registers.ebx: 4294943456 registers.esi: 1971262480 registers.ecx: 10606905	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 52 68 40 ad bf 6f e9 95 00 00 00 29 dd 68 42 exception.symbol: 1x90b2+0x2085d4 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2131412 exception.address: 0xa185d4 registers.esp: 4586036 registers.edi: 59730 registers.eax: 29998 registers.ebp: 3998920724 registers.edx: 4294943516 registers.ebx: 10583308 registers.esi: 1971262480 registers.ecx: 10606905	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 29 c0 e9 6b 00 00 00 f7 d0 e9 1f 01 00 00 53 exception.symbol: 1x90b2+0x207d61 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2129249 exception.address: 0xa17d61 registers.esp: 4586040 registers.edi: 59730 registers.eax: 29998 registers.ebp: 3998920724 registers.edx: 4294943516 registers.ebx: 10613306 registers.esi: 1971262480 registers.ecx: 10606905	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 14 03 00 00 81 c1 76 f8 7f 7f 81 c1 23 30 exception.symbol: 1x90b2+0x208094 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2130068 exception.address: 0xa18094 registers.esp: 4586040 registers.edi: 59730 registers.eax: 4294939948 registers.ebp: 3998920724 registers.edx: 4294943516 registers.ebx: 10613306 registers.esi: 1971262480 registers.ecx: 2348384616	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 8a 05 00 00 be 04 00 00 00 01 f2 5e 33 14 exception.symbol: 1x90b2+0x20c746 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2148166 exception.address: 0xa1c746 registers.esp: 4586040 registers.edi: 59730 registers.eax: 31917 registers.ebp: 3998920724 registers.edx: 1783979243 registers.ebx: 10613306 registers.esi: 4294938020 registers.ecx: 10633746	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 55 68 57 17 ff 7b 5d 01 ea 8b 2c 24 53 89 e3 exception.symbol: 1x90b2+0x22be99 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2277017 exception.address: 0xa3be99 registers.esp: 4586004 registers.edi: 3414053943 registers.eax: 31096 registers.ebp: 3998920724 registers.edx: 10728812 registers.ebx: 0 registers.esi: 10725008 registers.ecx: 1379598336	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 68 70 35 18 43 e9 75 01 00 00 ff 34 24 5e 81 exception.symbol: 1x90b2+0x22baea exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2276074 exception.address: 0xa3baea registers.esp: 4586008 registers.edi: 3414053943 registers.eax: 31096 registers.ebp: 3998920724 registers.edx: 10759908 registers.ebx: 0 registers.esi: 10725008 registers.ecx: 1379598336	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 56 89 2c 24 51 b9 25 d3 75 37 51 5d ff 34 24 exception.symbol: 1x90b2+0x22b968 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2275688 exception.address: 0xa3b968 registers.esp: 4586008 registers.edi: 3414053943 registers.eax: 116969 registers.ebp: 3998920724 registers.edx: 10732132 registers.ebx: 0 registers.esi: 10725008 registers.ecx: 1379598336	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 19 00 00 00 89 0c 24 e9 e2 00 00 00 56 be exception.symbol: 1x90b2+0x22e0b5 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2285749 exception.address: 0xa3e0b5 registers.esp: 4586008 registers.edi: 623174691 registers.eax: 10742619 registers.ebp: 3998920724 registers.edx: 0 registers.ebx: 631766263 registers.esi: 1939180384 registers.ecx: 1914170053	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 52 ba 8e ee f9 7f e9 ad 08 00 00 89 e2 50 e9 exception.symbol: 1x90b2+0x2308de exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2296030 exception.address: 0xa408de registers.esp: 4586004 registers.edi: 10749868 registers.eax: 26362 registers.ebp: 3998920724 registers.edx: 325924597 registers.ebx: 336668804 registers.esi: 2568384852 registers.ecx: 336672972	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 68 f2 c8 ac 21 89 34 24 55 89 e5 68 40 d3 11 exception.symbol: 1x90b2+0x230c7e exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2296958 exception.address: 0xa40c7e registers.esp: 4586008 registers.edi: 10752982 registers.eax: 1325580128 registers.ebp: 3998920724 registers.edx: 0 registers.ebx: 336668804 registers.esi: 2568384852 registers.ecx: 336672972	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 68 e5 3f 2c 37 89 04 24 b8 5d b6 ff 7d 55 bd exception.symbol: 1x90b2+0x231f08 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2301704 exception.address: 0xa41f08 registers.esp: 4586004 registers.edi: 336668823 registers.eax: 29701 registers.ebp: 3998920724 registers.edx: 0 registers.ebx: 10753828 registers.esi: 10753013 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 55 e9 e8 f6 ff ff 83 ec 04 89 04 24 50 c7 04 exception.symbol: 1x90b2+0x23215a exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2302298 exception.address: 0xa4215a registers.esp: 4586008 registers.edi: 336668823 registers.eax: 29701 registers.ebp: 3998920724 registers.edx: 0 registers.ebx: 10783529 registers.esi: 4294940212 registers.ecx: 2298801283	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 29 d2 ff 34 10 ff 34 24 5b 83 ec 04 89 0c 24 exception.symbol: 1x90b2+0x235b83 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2317187 exception.address: 0xa45b83 registers.esp: 4586008 registers.edi: 336668823 registers.eax: 10801147 registers.ebp: 3998920724 registers.edx: 10770103 registers.ebx: 8908162 registers.esi: 4294940212 registers.ecx: 1969225870	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 50 b8 32 1d ff 31 56 be 9b 30 a7 73 31 f0 e9 exception.symbol: 1x90b2+0x23618e exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2318734 exception.address: 0xa4618e registers.esp: 4586008 registers.edi: 336668823 registers.eax: 10801147 registers.ebp: 3998920724 registers.edx: 4294939368 registers.ebx: 1829201 registers.esi: 4294940212 registers.ecx: 1969225870	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 57 e9 13 02 00 00 c1 ee 03 81 e6 7d 15 dd 7f exception.symbol: 1x90b2+0x2364f7 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2319607 exception.address: 0xa464f7 registers.esp: 4586004 registers.edi: 336668823 registers.eax: 32140 registers.ebp: 3998920724 registers.edx: 1227040768 registers.ebx: 10773413 registers.esi: 4294940212 registers.ecx: 1969225870	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 c6 03 00 00 5d 29 c3 e9 7f 00 00 00 81 2c exception.symbol: 1x90b2+0x2368a9 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2320553 exception.address: 0xa468a9 registers.esp: 4586008 registers.edi: 336668823 registers.eax: 32140 registers.ebp: 3998920724 registers.edx: 1227040768 registers.ebx: 10805553 registers.esi: 4294940212 registers.ecx: 1969225870	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 51 89 14 24 83 ec 04 e9 68 03 00 00 bd 85 0d exception.symbol: 1x90b2+0x2366c2 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2320066 exception.address: 0xa466c2 registers.esp: 4586008 registers.edi: 4294937452 registers.eax: 24811 registers.ebp: 3998920724 registers.edx: 1227040768 registers.ebx: 10805553 registers.esi: 4294940212 registers.ecx: 1969225870	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 fa 02 00 00 09 f2 5e e9 d6 04 00 00 81 c1 exception.symbol: 1x90b2+0x239c82 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2333826 exception.address: 0xa49c82 registers.esp: 4586004 registers.edi: 1227090608 registers.eax: 29094 registers.ebp: 3998920724 registers.edx: 10805554 registers.ebx: 10786600 registers.esi: 10805554 registers.ecx: 1227074417	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 52 54 8b 14 24 83 c4 04 68 ad 65 62 01 89 2c exception.symbol: 1x90b2+0x239ce1 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2333921 exception.address: 0xa49ce1 registers.esp: 4586008 registers.edi: 1227090608 registers.eax: 29094 registers.ebp: 3998920724 registers.edx: 10805554 registers.ebx: 10789334 registers.esi: 0 registers.ecx: 3909414019	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 c7 04 24 42 59 32 5f 81 2c exception.symbol: 1x90b2+0x23a85d exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2336861 exception.address: 0xa4a85d registers.esp: 4586008 registers.edi: 1227090608 registers.eax: 10816252 registers.ebp: 3998920724 registers.edx: 10805554 registers.ebx: 417252315 registers.esi: 0 registers.ecx: 1849779361	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 50 89 e0 05 04 00 00 00 2d 04 00 00 00 e9 42 exception.symbol: 1x90b2+0x23ab37 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2337591 exception.address: 0xa4ab37 registers.esp: 4586008 registers.edi: 1227090608 registers.eax: 10792952 registers.ebp: 3998920724 registers.edx: 10805554 registers.ebx: 0 registers.esi: 13035859 registers.ecx: 1849779361	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 55 52 50 b8 4a b6 df 3f e9 be 00 00 00 01 d6 exception.symbol: 1x90b2+0x25557e exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2446718 exception.address: 0xa6557e registers.esp: 4586008 registers.edi: 10878962 registers.eax: 322689 registers.ebp: 3998920724 registers.edx: 10931243 registers.ebx: 1969225702 registers.esi: 4294937684 registers.ecx: 0	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 29 ff ff 34 38 e9 4d fa ff ff exception.symbol: 1x90b2+0x256281 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2450049 exception.address: 0xa66281 registers.esp: 4586008 registers.edi: 10878962 registers.eax: 10929118 registers.ebp: 3998920724 registers.edx: 1779093998 registers.ebx: 1785860578 registers.esi: 4294937684 registers.ecx: 841194596	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 50 e9 b8 f8 ff ff 87 1c 24 5c 68 21 54 96 3e exception.symbol: 1x90b2+0x25612d exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2449709 exception.address: 0xa6612d registers.esp: 4586008 registers.edi: 4294942492 registers.eax: 10929118 registers.ebp: 3998920724 registers.edx: 1779093998 registers.ebx: 73002856 registers.esi: 4294937684 registers.ecx: 841194596	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 53 bb bc 3b fe 43 89 5c 24 exception.symbol: 1x90b2+0x25ccb7 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2477239 exception.address: 0xa6ccb7 registers.esp: 4586008 registers.edi: 10911109 registers.eax: 31076 registers.ebp: 3998920724 registers.edx: 2415576 registers.ebx: 10961912 registers.esi: 4284054062 registers.ecx: 1379598336	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 e9 99 06 00 00 31 exception.symbol: 1x90b2+0x25cdb3 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2477491 exception.address: 0xa6cdb3 registers.esp: 4586008 registers.edi: 10911109 registers.eax: 31076 registers.ebp: 3998920724 registers.edx: 4204525672 registers.ebx: 10933664 registers.esi: 0 registers.ecx: 1379598336	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 52 89 3c 24 54 5f 52 e9 fc 05 00 00 5d 56 be exception.symbol: 1x90b2+0x269991 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2529681 exception.address: 0xa79991 registers.esp: 4586008 registers.edi: 2001 registers.eax: 27801 registers.ebp: 3998920724 registers.edx: 11011487 registers.ebx: 810761803 registers.esi: 3768370335 registers.ecx: 1379598336	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 56 e9 6b fe ff ff 89 e6 81 c6 04 00 00 00 55 exception.symbol: 1x90b2+0x269aed exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2530029 exception.address: 0xa79aed registers.esp: 4586008 registers.edi: 2001 registers.eax: 8382802 registers.ebp: 3998920724 registers.edx: 10986443 registers.ebx: 0 registers.esi: 3768370335 registers.ecx: 1379598336	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 52 ba 9c 2d ef 7a 56 be d5 37 0c 01 55 bd 2d exception.symbol: 1x90b2+0x26a503 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2532611 exception.address: 0xa7a503 registers.esp: 4586004 registers.edi: 2001 registers.eax: 31570 registers.ebp: 3998920724 registers.edx: 10986443 registers.ebx: 10986655 registers.esi: 3768370335 registers.ecx: 1379598336	1
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: fb 68 ae 94 65 70 89 2c 24 53 89 0c 24 b9 8a c1 exception.symbol: 1x90b2+0x26a727 exception.instruction: sti exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2533159 exception.address: 0xa7a727 registers.esp: 4586008 registers.edi: 2001 registers.eax: 0 registers.ebp: 3998920724 registers.edx: 2179434839 registers.ebx: 10989633 registers.esi: 3768370335 registers.ecx: 1379598336	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 95 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 425984 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00811000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73eb1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ef1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2025, 1:35 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2025, 1:42 p.m.	process_identifier: 2464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756e1000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

skotes.exe tried to sleep 1062 seconds, actually delayed analysis time by 1062 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Jan. 8, 2025, 1:42 p.m.	number_of_free_clusters: 2423622 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 8, 2025, 1:42 p.m.	number_of_free_clusters: 2423622 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 8, 2025, 1:42 p.m.	number_of_free_clusters: 2421626 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 8, 2025, 1:42 p.m.	number_of_free_clusters: 2421626 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 8, 2025, 1:42 p.m.	number_of_free_clusters: 2420324 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 8, 2025, 1:42 p.m.	number_of_free_clusters: 2420324 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\3C01a.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\2O0574.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\4m130Z.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\D9H54.exe
file	C:\Users\test22\AppData\Local\Temp\IXP002.TMP\1x90B2.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\J2Q03.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\3C01a.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\4m130Z.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\J2Q03.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\D9H54.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 8, 2025, 1:42 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x006aba00', u'virtual_address': u'0x0000c000', u'entropy': 7.997424801899828, u'name': u'.rsrc', u'virtual_size': u'0x006ac000'}

entropy

7.9974248019

description

A section with a high entropy has been found

entropy

0.995264461606

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Communicates with host for which no DNS query was performed (2 events)

host	185.215.113.206
host	185.215.113.43

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 345 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Jan. 8, 2025, 1:42 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA Jan. 8, 2025, 1:43 p.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
file	C:\Windows\Tasks\skotes.job

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 8, 2025, 1:42 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 50 68 8f 4c fd 69 89 24 exception.symbol: 1x90b2+0x1eccda exception.instruction: in eax, dx exception.module: 1x90B2.exe exception.exception_code: 0xc0000096 exception.offset: 2018522 exception.address: 0x9fccda registers.esp: 4586040 registers.edi: 12922920 registers.eax: 1447909480 registers.ebp: 3998920724 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 10461459 registers.ecx: 20	1	0	0

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Themida.vc
Cylance	Unsafe
VIPRE	Gen:Heur.Crifi.1
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (W)
BitDefender	Gen:Heur.Crifi.1
Arcabit	Trojan.Crifi.1
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
ClamAV	Win.Packed.Disabler-10009296-0
Kaspersky	HEUR:Trojan-Downloader.Win32.Deyma.pef
MicroWorld-eScan	Gen:Heur.Crifi.1
Rising	Trojan.Agent!1.1074D (CLASSIC)
Emsisoft	Gen:Heur.Crifi.1 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
DrWeb	Trojan.Packed2.48355
Zillya	Trojan.AgentGen.Win32.94
Trapmine	malicious.high.ml.score
CTX	exe.unknown.crifi
Sophos	Mal/Amadey-D
SentinelOne	Static AI - Malicious SFX
FireEye	Generic.mg.c2e8e44c11c1001f
Google	Detected
Avira	TR/Crypt.TPM.Gen
Gridinsoft	Spy.Win32.Redline.lu!heur
Microsoft	Trojan:Win32/Caynamer.A!ml
GData	Gen:Heur.Crifi.1
Varist	W32/Kryptik.JKR.gen!Eldorado
Malwarebytes	Spyware.Stealc
Ikarus	Trojan.MSIL.Disabler
Zoner	Probably Heur.ExeHeaderL
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Themida.HZB!tr
AVG	Win32:Evo-gen [Trj]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	185.215.113.206:80
dead_host	185.215.113.43:80

none.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All