Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x3201	March 9, 2021, 2:47 p.m.	March 9, 2021, 2:49 p.m.

Size	3.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2f11ef6ef558c8fb652e69f3d88aa1d0`
SHA256	`52e8f3b03d6cde8793eb73ce1ce93c2856810d38c7d83c5597c6b859dd44c145`
CRC32	`09AB43BE`
ssdeep	`98304:AmieWSHq633T8CaQiPEj6YqBMtkoq+FBuaOEiw:Ity3Y3mj617oHFBMnw`
Yara	IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check HasRichSignature - Rich Signature Check Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration PE_Header_Zero - PE File Signature Zero

nCoreManager.exe "C:\Users\Administrator\AppData\Local\Temp\nCoreManager.exe"
5600
- cmd.exe C:\Windows\system32\cmd.exe /c WMIC OS get osarchitecture >C:\ProgramData\SystemNetwork\arch.txt
  588

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 9, 2021, 2:47 p.m.			0	0
IsDebuggerPresent March 9, 2021, 2:47 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 9, 2021, 2:47 p.m.	buffer: 지정된 경로를 찾을 수 없습니다. console_handle: 0x0000000b	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 events)

section	\x00
section	.idata
section
section	yadxjdvu
section	fmgayxie

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	QASDCYG
resource name	VSXZGRPGRZR

One or more processes crashed (50 out of 119 events)

Time & API	Arguments	Status
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x637f5 @ 0x77af37f5 RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x637c8 @ 0x77af37c8 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: ncoremanager+0x48a0b9 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 4759737 exception.address: 0x143a0b9 registers.esp: 5961920 registers.edi: 0 registers.eax: 1 registers.ebp: 5961936 registers.edx: 24166400 registers.ebx: 2147340288 registers.esi: 0 registers.ecx: 0	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 f8 4b ed 27 89 04 24 68 43 44 c3 exception.symbol: ncoremanager+0xf4687 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 1001095 exception.address: 0x10a4687 registers.esp: 5961884 registers.edi: 1982398704 registers.eax: 26012 registers.ebp: 3958579220 registers.edx: 16449536 registers.ebx: 16474367 registers.esi: 4 registers.ecx: 17448386	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 68 be bb 73 4a 89 0c 24 c7 04 24 00 58 de 7f exception.symbol: ncoremanager+0xf40f6 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 999670 exception.address: 0x10a40f6 registers.esp: 5961888 registers.edi: 1982398704 registers.eax: 26012 registers.ebp: 3958579220 registers.edx: 16449536 registers.ebx: 16474367 registers.esi: 4 registers.ecx: 17474398	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb b8 42 01 9f 10 83 ec 04 89 0c 24 68 21 4a f5 exception.symbol: ncoremanager+0xf471c exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 1001244 exception.address: 0x10a471c registers.esp: 5961888 registers.edi: 1982398704 registers.eax: 26012 registers.ebp: 3958579220 registers.edx: 16449536 registers.ebx: 0 registers.esi: 235753 registers.ecx: 17451170	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 87 fe ff ff bf d2 fe dd 1d 01 f8 5f 01 d8 exception.symbol: ncoremanager+0xf4f67 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 1003367 exception.address: 0x10a4f67 registers.esp: 5961884 registers.edi: 17452448 registers.eax: 31670 registers.ebp: 3958579220 registers.edx: 16449536 registers.ebx: 1530452780 registers.esi: 235753 registers.ecx: 17451170	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 3e ff 34 24 e9 48 03 00 00 50 89 exception.symbol: ncoremanager+0xf4dbc exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 1002940 exception.address: 0x10a4dbc registers.esp: 5961888 registers.edi: 17484118 registers.eax: 31670 registers.ebp: 3958579220 registers.edx: 16449536 registers.ebx: 1530452780 registers.esi: 235753 registers.ecx: 17451170	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 55 89 e5 e9 4b 06 00 00 81 ee 0e 20 49 00 01 exception.symbol: ncoremanager+0xf4f43 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 1003331 exception.address: 0x10a4f43 registers.esp: 5961888 registers.edi: 17484118 registers.eax: 1259 registers.ebp: 3958579220 registers.edx: 16449536 registers.ebx: 1530452780 registers.esi: 4294938112 registers.ecx: 17451170	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 57 89 1c 24 e9 86 03 00 00 83 ed 04 87 2c 24 exception.symbol: ncoremanager+0x343976 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3422582 exception.address: 0x12f3976 registers.esp: 5961888 registers.edi: 18434154 registers.eax: 28127 registers.ebp: 3958579220 registers.edx: 2345 registers.ebx: 815104 registers.esi: 19871390 registers.ecx: 19900036	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 57 e9 94 fe ff ff 29 c6 81 ee 81 f8 bb 7e 58 exception.symbol: ncoremanager+0x343b60 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3423072 exception.address: 0x12f3b60 registers.esp: 5961888 registers.edi: 18434154 registers.eax: 28127 registers.ebp: 3958579220 registers.edx: 4294941624 registers.ebx: 604292944 registers.esi: 19871390 registers.ecx: 19900036	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 0f fd ff ff 89 2c 24 55 bd c1 09 46 03 89 exception.symbol: ncoremanager+0x34a8dc exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3451100 exception.address: 0x12fa8dc registers.esp: 5961884 registers.edi: 892297623 registers.eax: 25450 registers.ebp: 3958579220 registers.edx: 19898520 registers.ebx: 19894310 registers.esi: 36891 registers.ecx: 0	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 8d 01 00 00 5e 87 de 53 f7 14 24 8b 1c 24 exception.symbol: ncoremanager+0x34a77b exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3450747 exception.address: 0x12fa77b registers.esp: 5961888 registers.edi: 892297623 registers.eax: 1259 registers.ebp: 3958579220 registers.edx: 19901298 registers.ebx: 0 registers.esi: 36891 registers.ecx: 0	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 1f 04 00 00 b9 4f 99 1b 76 81 e9 32 1e ff exception.symbol: ncoremanager+0x34cfce exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3461070 exception.address: 0x12fcfce registers.esp: 5961888 registers.edi: 4294942736 registers.eax: 19936757 registers.ebp: 3958579220 registers.edx: 19901298 registers.ebx: 941203686 registers.esi: 202985 registers.ecx: 941203686	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 81 ec 04 00 00 00 89 34 exception.symbol: ncoremanager+0x35868e exception.instruction: in eax, dx exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3507854 exception.address: 0x130868e registers.esp: 5961880 registers.edi: 6692789 registers.eax: 1447909480 registers.ebp: 3958579220 registers.edx: 22104 registers.ebx: 1982643831 registers.esi: 19933639 registers.ecx: 20	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: ncoremanager+0x3574a5 exception.address: 0x13074a5 exception.module: nCoreManager.exe exception.exception_code: 0xc000001d exception.offset: 3503269 registers.esp: 5961880 registers.edi: 6692789 registers.eax: 1 registers.ebp: 3958579220 registers.edx: 22104 registers.ebx: 0 registers.esi: 19933639 registers.ecx: 20	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 6f 2a 17 15 01 exception.symbol: ncoremanager+0x35529e exception.instruction: in eax, dx exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3494558 exception.address: 0x130529e registers.esp: 5961880 registers.edi: 6692789 registers.eax: 1447909480 registers.ebp: 3958579220 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 19933639 registers.ecx: 10	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 52 58 a8 5d e9 a1 fc ff ff 33 14 exception.symbol: ncoremanager+0x35bc3e exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3521598 exception.address: 0x130bc3e registers.esp: 5961888 registers.edi: 6692789 registers.eax: 6379 registers.ebp: 3958579220 registers.edx: 4294938008 registers.ebx: 42781937 registers.esi: 20001091 registers.ecx: 5961096	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 52 ba ed c4 bd 35 81 f2 68 b6 6b 4a 56 89 04 exception.symbol: ncoremanager+0x3633e9 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3552233 exception.address: 0x13133e9 registers.esp: 5961884 registers.edi: 6692789 registers.eax: 25566 registers.ebp: 3958579220 registers.edx: 19971864 registers.ebx: 384942928 registers.esi: 20001091 registers.ecx: 19999649	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 35 05 00 00 83 e9 04 87 0c 24 e9 00 00 00 exception.symbol: ncoremanager+0x36300b exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3551243 exception.address: 0x131300b registers.esp: 5961888 registers.edi: 604292946 registers.eax: 0 registers.ebp: 3958579220 registers.edx: 19971864 registers.ebx: 384942928 registers.esi: 20001091 registers.ecx: 20002415	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb b9 e3 44 eb 7d e9 da fb ff ff 68 d1 74 7f 3a exception.symbol: ncoremanager+0x36fe0a exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3603978 exception.address: 0x131fe0a registers.esp: 5961880 registers.edi: 607947093 registers.eax: 32399 registers.ebp: 3958579220 registers.edx: 20054077 registers.ebx: 0 registers.esi: 1982712444 registers.ecx: 6	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 31 d2 ff 34 11 83 ec 04 89 04 24 68 00 b9 69 exception.symbol: ncoremanager+0x370592 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3605906 exception.address: 0x1320592 registers.esp: 5961880 registers.edi: 607947093 registers.eax: 26183 registers.ebp: 3958579220 registers.edx: 20054077 registers.ebx: 330527859 registers.esi: 1982712444 registers.ecx: 20080652	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 2c ff ff ff 01 d1 5a e9 63 06 00 00 89 3c exception.symbol: ncoremanager+0x3702e1 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3605217 exception.address: 0x13202e1 registers.esp: 5961880 registers.edi: 605849936 registers.eax: 26183 registers.ebp: 3958579220 registers.edx: 4294943848 registers.ebx: 330527859 registers.esi: 1982712444 registers.ecx: 20080652	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 57 53 bb 11 09 ff 3f c1 e3 01 e9 f2 fc ff ff exception.symbol: ncoremanager+0x373021 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3616801 exception.address: 0x1323021 registers.esp: 5961876 registers.edi: 605849936 registers.eax: 20064517 registers.ebp: 3958579220 registers.edx: 4294943848 registers.ebx: 330527859 registers.esi: 1982712444 registers.ecx: 20080652	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 55 52 89 2c 24 52 57 bf 00 bd fb 6b 89 fa 5f exception.symbol: ncoremanager+0x372f14 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3616532 exception.address: 0x1322f14 registers.esp: 5961880 registers.edi: 605849936 registers.eax: 20093695 registers.ebp: 3958579220 registers.edx: 4294943848 registers.ebx: 322689 registers.esi: 1982712444 registers.ecx: 4294941388	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 ca 06 00 00 4a 56 c7 04 24 fb 67 39 57 e9 exception.symbol: ncoremanager+0x381b36 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3676982 exception.address: 0x1331b36 registers.esp: 5961880 registers.edi: 2164264960 registers.eax: 32181 registers.ebp: 3958579220 registers.edx: 3951165439 registers.ebx: 116969 registers.esi: 4294937840 registers.ecx: 20158386	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 bd 9b 73 dc 77 81 exception.symbol: ncoremanager+0x3948d4 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3754196 exception.address: 0x13448d4 registers.esp: 5961848 registers.edi: 20200121 registers.eax: 27245 registers.ebp: 3958579220 registers.edx: 20229543 registers.ebx: 4294942624 registers.esi: 2091346 registers.ecx: 0	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 e2 03 00 00 35 5f 31 aa ec 89 c5 58 e9 06 exception.symbol: ncoremanager+0x395355 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3756885 exception.address: 0x1345355 registers.esp: 5961844 registers.edi: 20205328 registers.eax: 29373 registers.ebp: 3958579220 registers.edx: 20229543 registers.ebx: 4294942624 registers.esi: 2091346 registers.ecx: 0	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 b9 fb ff ff 81 e9 ad a2 5e 1f 50 b8 71 82 exception.symbol: ncoremanager+0x39546d exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3757165 exception.address: 0x134546d registers.esp: 5961848 registers.edi: 20234701 registers.eax: 29373 registers.ebp: 3958579220 registers.edx: 20229543 registers.ebx: 4294942624 registers.esi: 2091346 registers.ecx: 0	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 56 54 5e e9 5f 05 00 00 81 f5 a0 f5 8e 2a e9 exception.symbol: ncoremanager+0x395221 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3756577 exception.address: 0x1345221 registers.esp: 5961848 registers.edi: 20234701 registers.eax: 4294940764 registers.ebp: 3958579220 registers.edx: 1253593173 registers.ebx: 4294942624 registers.esi: 2091346 registers.ecx: 0	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 89 f9 ff ff c1 ef 02 81 c7 26 ce 8a 40 31 exception.symbol: ncoremanager+0x39642b exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3761195 exception.address: 0x134642b registers.esp: 5961844 registers.edi: 20234701 registers.eax: 29425 registers.ebp: 3958579220 registers.edx: 1253593173 registers.ebx: 20208573 registers.esi: 2091346 registers.ecx: 651027745	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 68 84 af d5 06 89 3c 24 50 c7 04 24 62 9e fd exception.symbol: ncoremanager+0x395c60 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3759200 exception.address: 0x1345c60 registers.esp: 5961848 registers.edi: 0 registers.eax: 724540813 registers.ebp: 3958579220 registers.edx: 1253593173 registers.ebx: 20211714 registers.esi: 2091346 registers.ecx: 651027745	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 05 94 11 f7 79 2d a1 64 ef 7f 03 04 24 57 bf exception.symbol: ncoremanager+0x396c84 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3763332 exception.address: 0x1346c84 registers.esp: 5961844 registers.edi: 0 registers.eax: 20212506 registers.ebp: 3958579220 registers.edx: 1253593173 registers.ebx: 17451843 registers.esi: 2091346 registers.ecx: 651027745	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 67 ff ff ff be b6 60 af 77 f7 d6 81 f6 bf exception.symbol: ncoremanager+0x397164 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3764580 exception.address: 0x1347164 registers.esp: 5961848 registers.edi: 0 registers.eax: 20215678 registers.ebp: 3958579220 registers.edx: 44777 registers.ebx: 17451843 registers.esi: 2091346 registers.ecx: 0	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 31 d2 83 ec 04 89 1c 24 56 68 92 cd 46 5c 89 exception.symbol: ncoremanager+0x39afac exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3780524 exception.address: 0x134afac registers.esp: 5961848 registers.edi: 0 registers.eax: 20260314 registers.ebp: 3958579220 registers.edx: 2147155968 registers.ebx: 65758 registers.esi: 2091346 registers.ecx: 1981574978	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 e9 97 01 00 00 5a exception.symbol: ncoremanager+0x39b47b exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3781755 exception.address: 0x134b47b registers.esp: 5961848 registers.edi: 0 registers.eax: 20260314 registers.ebp: 3958579220 registers.edx: 4294939696 registers.ebx: 65758 registers.esi: 83945 registers.ecx: 1981574978	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 68 a3 40 dd 21 89 3c 24 52 e9 50 00 00 00 31 exception.symbol: ncoremanager+0x39f22d exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3797549 exception.address: 0x134f22d registers.esp: 5961848 registers.edi: 20275220 registers.eax: 29641 registers.ebp: 3958579220 registers.edx: 2145871247 registers.ebx: 20237092 registers.esi: 20321037 registers.ecx: 2166108339	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 53 c7 04 24 d3 ea exception.symbol: ncoremanager+0x39ed98 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3796376 exception.address: 0x134ed98 registers.esp: 5961848 registers.edi: 20248724 registers.eax: 157417 registers.ebp: 3958579220 registers.edx: 2145871247 registers.ebx: 20237092 registers.esi: 20321037 registers.ecx: 0	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 81 c3 2f 17 f7 7a 03 1c 24 57 52 e9 6e 00 00 exception.symbol: ncoremanager+0x3a0546 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3802438 exception.address: 0x1350546 registers.esp: 5961844 registers.edi: 20248724 registers.eax: 29065 registers.ebp: 3958579220 registers.edx: 1906482136 registers.ebx: 20249748 registers.esi: 20321037 registers.ecx: 0	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 a3 fb ff ff f7 d0 05 ff ff ff ff 05 86 f3 exception.symbol: ncoremanager+0x3a0463 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3802211 exception.address: 0x1350463 registers.esp: 5961848 registers.edi: 20248724 registers.eax: 29065 registers.ebp: 3958579220 registers.edx: 1906482136 registers.ebx: 20278813 registers.esi: 20321037 registers.ecx: 0	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 57 bf 61 d8 f3 7d 56 e9 84 00 00 00 5e 2d dc exception.symbol: ncoremanager+0x39fee4 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3800804 exception.address: 0x134fee4 registers.esp: 5961848 registers.edi: 81129 registers.eax: 29065 registers.ebp: 3958579220 registers.edx: 0 registers.ebx: 20252729 registers.esi: 20321037 registers.ecx: 0	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 81 ef 04 00 00 00 exception.symbol: ncoremanager+0x3a6aa7 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3828391 exception.address: 0x1356aa7 registers.esp: 5961848 registers.edi: 20255543 registers.eax: 20279795 registers.ebp: 3958579220 registers.edx: 2147351540 registers.ebx: 2147483650 registers.esi: 0 registers.ecx: 607947088	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 1d 00 00 00 01 f1 5e 50 89 0c 24 e9 66 f9 exception.symbol: ncoremanager+0x3a7d13 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3833107 exception.address: 0x1357d13 registers.esp: 5961848 registers.edi: 20255543 registers.eax: 20307410 registers.ebp: 3958579220 registers.edx: 2104062694 registers.ebx: 2147483650 registers.esi: 0 registers.ecx: 1168936900	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 c2 00 00 00 41 55 83 ec 04 89 1c 24 57 89 exception.symbol: ncoremanager+0x3a7a99 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3832473 exception.address: 0x1357a99 registers.esp: 5961848 registers.edi: 20255543 registers.eax: 20307410 registers.ebp: 3958579220 registers.edx: 2104062694 registers.ebx: 604292947 registers.esi: 0 registers.ecx: 4294942720	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 2d cc 41 f7 7b 68 1f 79 be 30 89 0c 24 56 68 exception.symbol: ncoremanager+0x3c78c5 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3963077 exception.address: 0x13778c5 registers.esp: 5961844 registers.edi: 3938725426 registers.eax: 20412308 registers.ebp: 3958579220 registers.edx: 2007855284 registers.ebx: 3958865467 registers.esi: 33375668 registers.ecx: 2028265711	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 53 e9 46 00 00 00 89 34 24 52 ba c5 db 1b 77 exception.symbol: ncoremanager+0x3c7c93 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3964051 exception.address: 0x1377c93 registers.esp: 5961848 registers.edi: 2025813 registers.eax: 20415932 registers.ebp: 3958579220 registers.edx: 2007855284 registers.ebx: 3958865467 registers.esi: 33375668 registers.ecx: 0	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 75 02 00 00 81 c2 ae b6 5f 56 e9 f4 fb ff exception.symbol: ncoremanager+0x3c8ed9 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3968729 exception.address: 0x1378ed9 registers.esp: 5961844 registers.edi: 2025813 registers.eax: 26666 registers.ebp: 3958579220 registers.edx: 645478436 registers.ebx: 20416370 registers.esi: 33375668 registers.ecx: 0	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb e9 cb fe ff ff 89 34 24 be 5c a2 9b 79 e9 44 exception.symbol: ncoremanager+0x3c8e93 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3968659 exception.address: 0x1378e93 registers.esp: 5961848 registers.edi: 2025813 registers.eax: 26666 registers.ebp: 3958579220 registers.edx: 0 registers.ebx: 20419532 registers.esi: 33375668 registers.ecx: 105642088	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 55 bd e9 e7 7c 6f 81 ed 54 c5 ff 7b 81 f5 56 exception.symbol: ncoremanager+0x3d9b61 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 4037473 exception.address: 0x1389b61 registers.esp: 5961844 registers.edi: 0 registers.eax: 20484455 registers.ebp: 3958579220 registers.edx: 6685044 registers.ebx: 215906429 registers.esi: 4116723294 registers.ecx: 2007917936	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 68 45 c7 41 1d 89 3c 24 c7 04 24 c4 3f f7 4b exception.symbol: ncoremanager+0x3d9a77 exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 4037239 exception.address: 0x1389a77 registers.esp: 5961848 registers.edi: 0 registers.eax: 20487737 registers.ebp: 3958579220 registers.edx: 0 registers.ebx: 215906429 registers.esi: 4116723294 registers.ecx: 604277079	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 68 a7 c8 ec 4b 89 1c 24 50 e9 60 01 00 00 01 exception.symbol: ncoremanager+0x3eb5fa exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 4109818 exception.address: 0x139b5fa registers.esp: 5961844 registers.edi: 20558505 registers.eax: 32764 registers.ebp: 3958579220 registers.edx: 2147351540 registers.ebx: 20539922 registers.esi: 2007777520 registers.ecx: 5960912	1
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 6f a7 fd 3f ff 0c 24 e9 e3 fe ff exception.symbol: ncoremanager+0x3eba1e exception.instruction: sti exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 4110878 exception.address: 0x139ba1e registers.esp: 5961848 registers.edi: 20591269 registers.eax: 32764 registers.ebp: 3958579220 registers.edx: 2147351540 registers.ebx: 20539922 registers.esi: 2007777520 registers.ecx: 5960912	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 74 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77b2f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77ac4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 380928 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fb1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 9, 2021, 2:47 p.m.	process_identifier: 5600 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c WMIC OS get osarchitecture >C:\ProgramData\SystemNetwork\arch.txt

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x0005ca00', u'virtual_address': u'0x00001000', u'entropy': 7.983686976729365, u'name': u' \\x00 ', u'virtual_size': u'0x000c7000'}

entropy

7.98368697673

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0001dc00', u'virtual_address': u'0x000c8000', u'entropy': 7.970222165607945, u'name': u'.rsrc', u'virtual_size': u'0x00028333'}

entropy

7.97022216561

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x002d1400', u'virtual_address': u'0x0048a000', u'entropy': 7.920152790284555, u'name': u'yadxjdvu', u'virtual_size': u'0x002d2000'}

entropy

7.92015279028

description

A section with a high entropy has been found

entropy

0.999555687204

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (50 out of 376 events)

url	http://www.expedia.com/favicon.ico
url	http://uk.ask.com/favicon.ico
url	http://www.priceminister.com/
url	http://ru.wikipedia.org/
url	http://www.merlin.com.pl/favicon.ico
url	http://www.cnet.com/favicon.ico
url	http://search.nifty.com/
url	http://ns.adobe.com/exif/1.0/
url	http://www.etmall.com.tw/
url	http://search.goo.ne.jp/
url	http://fr.wikipedia.org/favicon.ico
url	http://busca.estadao.com.br/favicon.ico
url	http://search.hanafos.com/favicon.ico
url	http://search.chol.com/favicon.ico
url	http://amazon.fr/
url	http://www.amazon.co.jp/
url	http://www.mtv.com/favicon.ico
url	http://busqueda.aol.com.mx/
url	http://search.live.com/results.aspx?FORM=SOLTDF
url	http://msdn.microsoft.com/
url	http://msdn.microsoft.com/workshop/security/privacy/overview/privacyimportxml.asp)
url	http://www.sify.com/favicon.ico
url	http://yellowpages.superpages.com/
url	http://suche.freenet.de/
url	http://search.aol.com/
url	http://browse.guardian.co.uk/
url	http://www.mercadolibre.com.mx/
url	http://www.asharqalawsat.com/
url	http://www.facebook.com/
url	http://si.wikipedia.org/favicon.ico
url	http://www.rtl.de/favicon.ico
url	http://search.msn.com/results.aspx?q=
url	http://search.naver.com/favicon.ico
url	http://en.wikipedia.org/favicon.ico
url	http://si.wikipedia.org/w/api.php?action=opensearch
url	http://udn.com/favicon.ico
url	http://rover.ebay.com
url	http://search.ebay.fr/
url	http://www.univision.com/
url	http://pt.wikipedia.org/w/api.php?action=opensearch
url	http://it.wikipedia.org/favicon.ico
url	http://uk.ask.com/
url	http://www.google.co.uk/
url	http://cnweb.search.live.com/results.aspx?q=
url	http://www.google.cz/
url	http://www.google.co.jp/
url	http://search.ebay.co.uk/
url	http://www.weather.com/
url	http://www.taobao.com/favicon.ico
url	http://www.news.com.au/favicon.ico

Yara rule detected in process memory (41 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Windows\system32\cmd.exe /c WMIC OS get osarchitecture >C:\ProgramData\SystemNetwork\arch.txt

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (17 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA March 9, 2021, 2:47 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 9, 2021, 2:47 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 9, 2021, 2:47 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 81 ec 04 00 00 00 89 34 exception.symbol: ncoremanager+0x35868e exception.instruction: in eax, dx exception.module: nCoreManager.exe exception.exception_code: 0xc0000096 exception.offset: 3507854 exception.address: 0x130868e registers.esp: 5961880 registers.edi: 6692789 registers.eax: 1447909480 registers.ebp: 3958579220 registers.edx: 22104 registers.ebx: 1982643831 registers.esi: 19933639 registers.ecx: 20	1	0	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.71442
FireEye	Generic.mg.2f11ef6ef558c8fb
CAT-QuickHeal	Trojan.Multi
ALYac	Trojan.GenericKDZ.71442
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00576dd11 )
Alibaba	Packed:Win32/Themida.ca9b50a6
K7GW	Trojan ( 00576dd11 )
Cybereason	malicious.ef558c
Arcabit	Trojan.Generic.D11712
BitDefenderTheta	Gen:NN.ZexaF.34590.tBXaa8gzVdni
Cyren	W32/Trojan.UCEE-0055
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Generickdz-9816506-0
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKDZ.71442
NANO-Antivirus	Trojan.Win32.TPM.ihooas
Ad-Aware	Trojan.GenericKDZ.71442
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Crypt.TPM.Gen
Zillya	Trojan.Themida.Win32.61758
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKDZ.71442 (B)
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.Generic.gqvhq
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=82)
Antiy-AVL	Trojan[Packed]/Win32.Themida
Gridinsoft	Trojan.Win32.CoinMiner.vb
Microsoft	Trojan:Win32/Ymacco.AA52
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKDZ.71442
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Gen.Generic.C2871621
McAfee	Artemis!2F11EF6EF558
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Trojan.BitCoinMiner.Themida.Generic
Panda	Trj/Genetic.gen
ESET-NOD32	a variant of Win32/Packed.Themida.EWW
TrendMicro-HouseCall	TROJ_GEN.R002H0CLT20
Rising	Malware.Heuristic!ET#100% (RDMK:cmRtazpMBm/h3kjrTP0xqS3rW7nS)
Ikarus	Trojan.Win32.Themida
eGambit	PE.Heur.InvalidSig
Fortinet	W32/Mikey.3FA8!tr

nCoreManager.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All