Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 24, 2025, 10:17 a.m.	April 24, 2025, 10:24 a.m.

Size	534.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c88adc5cbaedceb9736716d910f3926c`
SHA256	`02dbffe00a4f21afcbf01f16ef154121957444bd8cce833c50f112952eb4cbac`
CRC32	`049B9669`
ssdeep	`12288:bh1Lk70TnvjcKJhb3w7QU9pk0PhmUDm8AqLofzl+w4VRy:nk70TrcOb7U70U68rkfzday`
PDB Path
Yara	PE_Header_Zero - PE File Signature MALWARE_Win_VT_RedLine - Detects RedLine infostealer UltraVNC_Zero - UltraVNC Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

cVEHCL4.exe "C:\Users\test22\AppData\Local\Temp\cVEHCL4.exe"
2544

Name	Response	Post-Analysis Lookup
api.telegram.org	A 149.154.167.220	149.154.167.220

IP Address	Status	Action
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2033966	ET HUNTING Telegram API Domain in DNS Lookup	Misc activity
TCP 149.154.167.220:443 -> 192.168.56.101:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.101:49164 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.101:49164 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 24, 2025, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2025, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2025, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2025, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2025, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 24, 2025, 10:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2025, 10:17 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 24, 2025, 10:17 a.m.			0	0
IsDebuggerPresent April 24, 2025, 10:17 a.m.			0	0
IsDebuggerPresent April 24, 2025, 10:17 a.m.			0	0
IsDebuggerPresent April 24, 2025, 10:17 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey April 24, 2025, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00594ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00595360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005978d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005978d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00597810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00597810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 24, 2025, 10:17 a.m.		1	1	0

One or more processes crashed (50 out of 73 events)

Time & API	Arguments	Status
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: f3 aa 8b 45 f0 8b 4d 08 8b 55 10 03 c8 2b d0 52 exception.symbol: cvehcl4+0xf088 exception.instruction: stosb byte ptr es:[edi], al exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61576 exception.address: 0x40f088 registers.esp: 1636996 registers.edi: 4461476 registers.eax: 0 registers.ebp: 1637012 registers.edx: 0 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 12	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4464560 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 2283	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4468656 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 2251	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4472752 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 2219	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4476848 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 2187	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4480944 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 2155	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4485040 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 2123	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4489136 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 2091	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4493232 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 2059	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4497328 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 2027	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4501424 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1995	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4505520 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1963	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4509616 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1931	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4513712 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1899	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4517808 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1867	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4521904 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1835	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4526000 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1803	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4530096 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1771	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4534192 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1739	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4538288 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1707	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4542384 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1675	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4546480 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1643	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4550576 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1611	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4554672 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1579	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4558768 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1547	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4562864 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1515	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4566960 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1483	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4571056 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1451	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4575152 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1419	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4579248 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1387	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4583344 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1355	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4587440 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1323	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4591536 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1291	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4595632 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1259	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4599728 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1227	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4603824 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1195	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4607920 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1163	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4612016 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1131	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4616112 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1099	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4620208 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1067	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4624304 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1035	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4628400 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 1003	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4632496 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 971	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4636592 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 939	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4640688 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 907	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4644784 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 875	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4648880 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 843	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4652976 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 811	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4657072 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 779	1
__exception__ April 24, 2025, 10:17 a.m.	stacktrace: cvehcl4+0xf054 @ 0x40f054 cvehcl4+0xf0a0 @ 0x40f0a0 cvehcl4+0x1fa2 @ 0x401fa2 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: cvehcl4+0xefff exception.address: 0x40efff exception.module: cVEHCL4.exe exception.exception_code: 0xc0000005 exception.offset: 61439 registers.esp: 1636940 registers.edi: 4661168 registers.eax: 4461488 registers.ebp: 1636944 registers.edx: 20 registers.ebx: 0 registers.esi: 33685576 registers.ecx: 747	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 69 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02240000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02390000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02120000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02401000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02408000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0241f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0050a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02409000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0240a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0240c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0240d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05511000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0551d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0551f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02461000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02463000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02464000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02411000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02466000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02468000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:17 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02469000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW April 24, 2025, 10:17 a.m.	total_number_of_free_bytes: 13323517952 free_bytes_available: 13323517952 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW April 24, 2025, 10:17 a.m.	total_number_of_free_bytes: 13322969088 free_bytes_available: 13322969088 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\XClient.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\XClient.exe

Executes one or more WMI queries (2 events)

wmi	SELECT * FROM Win32_VideoController
wmi	select * from Win32_OperatingSystem

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 24, 2025, 10:17 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00063a00', u'virtual_address': u'0x00026000', u'entropy': 7.624269827674043, u'name': u'.rsrc', u'virtual_size': u'0x000639f0'}

entropy

7.62426982767

description

A section with a high entropy has been found

entropy

0.746954076851

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 24, 2025, 10:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\XClient

reg_value

C:\Users\test22\AppData\Roaming\XClient.exe

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW April 24, 2025, 10:17 a.m.	thread_identifier: 0 callback_function: 0x024e4db2 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	1245585	0

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (3 events)

Time & API	Arguments	Status	Return
CryptHashData April 24, 2025, 10:17 a.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00597910 flags: 0	1	1
CryptHashData April 24, 2025, 10:17 a.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00597e10 flags: 0	1	1
CryptHashData April 24, 2025, 10:17 a.m.	buffer: 2test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00597e10 flags: 0	1	1

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	cld.trojan.msil
Skyhigh	BehavesLike.Win32.Generic.hc
ALYac	Gen:Variant.Zusy.556867
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.556867
Sangfor	Suspicious.Win32.Save.pkr
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Zusy.556867
Arcabit	Trojan.Zusy.D87F43
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Bladabindi.NY
APEX	Malicious
Avast	Win32:MalwareX-gen [Cryp]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:MSIL/Bladabindi.911f2d95
MicroWorld-eScan	Gen:Variant.Zusy.556867
Rising	Backdoor.XWorm!8.1812C (CLOUD)
Emsisoft	Gen:Variant.Zusy.556867 (B)
F-Secure	Trojan.TR/ATRAPS.Gen
TrendMicro	Trojan.Win32.AMADEY.YXFDWZ
McAfeeD	ti!02DBFFE00A4F
Trapmine	malicious.high.ml.score
CTX	exe.trojan.msil
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/ATRAPS.Gen
Kingsoft	malware.kb.a.997
Gridinsoft	Risk.Win32.Downloader.dd!n
Microsoft	Trojan:MSIL/XWormRAT!rfn
GData	Gen:Variant.Zusy.556867
Varist	W32/ABTrojan.TBWD-4459
McAfee	Artemis!C88ADC5CBAED
DeepInstinct	MALICIOUS
VBA32	Malware-Cryptor.MSIL.AgentTesla.Heur
Malwarebytes	Backdoor.XWorm.Generic
Ikarus	Trojan.MSIL.Bladabindi
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9V
Tencent	Win32.Trojan.ATRAPS.Mzfl
huorong	Trojan/Agent.cas
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Bladabindi.NY!tr
AVG	Win32:MalwareX-gen [Cryp]
Paloalto	generic.ml
alibabacloud	Trojan:MSIL/Bladabindi.NN

cVEHCL4.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All