Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 21, 2021, 11 a.m.	May 21, 2021, 11:03 a.m.

Size	4.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1973e37ebcef7d29735098244afe84c7`
SHA256	`687c85aada37664caacfa6d2330edc7ebdbce56b06caf969b42b47764a9a7841`
CRC32	`226314EE`
ssdeep	`98304:XSU/vG+nw6AOXu57bC4RqlrjAe8VhhSEYEniZqgE2NFE6Wq+Pw1rhWixOU2tlOo/:LuuWO+57bC8CAe8TMjNHN+PI9xLoMPs7`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

360diao.exe "C:\Users\test22\AppData\Local\Temp\360diao.exe"
996

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 21, 2021, 11 a.m.			0	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

Allocates read-write-execute memory (usually to unpack itself) (32 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 8982528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3653632 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1011a000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 782336 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02720000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02750000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ce0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0

Foreign language identified in PE resource (50 out of 51 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fabc0

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fabc0

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fabc0

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fb0b0

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fb0b0

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fb0b0

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fb0b0

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc7b8

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fddc0

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fddc0

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ff008

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa50

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa9c

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa9c

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffa9c

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffae8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffae8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004ffae8

size

0x00000014

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\190ce06.tmp
file	C:\Users\test22\AppData\Local\Temp\190ce05.tmp
file	C:\Users\test22\AppData\Local\Temp\190cd87.tmp

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (33 events)

Time & API	Arguments	Status	Return
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000017c process_name: mobsync.exe process_identifier: 1420	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000017c process_name: pw.exe process_identifier: 2368	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000017c process_name: taskhost.exe process_identifier: 6464	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000017c process_name: cmd.exe process_identifier: 7784	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000017c process_name: conhost.exe process_identifier: 5904	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000017c process_name: 360diao.exe process_identifier: 996	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: conhost.exe process_identifier: 7232	1	1
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: pw.exe process_identifier: 4636	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: conhost.exe process_identifier: 4232	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: pw.exe process_identifier: 8956	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: cmd.exe process_identifier: 8064	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: conhost.exe process_identifier: 6012	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: pw.exe process_identifier: 4716	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000180 process_name: cmd.exe process_identifier: 3660	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000180 process_name: conhost.exe process_identifier: 5916	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000180 process_name: pw.exe process_identifier: 1160	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: cmd.exe process_identifier: 7236	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: conhost.exe process_identifier: 8724	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: pw.exe process_identifier: 5888	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000180 process_name: cmd.exe process_identifier: 3624	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000180 process_name: conhost.exe process_identifier: 7940	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000180 process_name: pw.exe process_identifier: 4408	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: cmd.exe process_identifier: 4672	1	1
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: conhost.exe process_identifier: 8168	1	1
Process32NextW May 21, 2021, 11:02 a.m.	snapshot_handle: 0x00000180 process_name: cmd.exe process_identifier: 8868	1	1
Process32NextW May 21, 2021, 11:02 a.m.	snapshot_handle: 0x00000180 process_name: conhost.exe process_identifier: 2268	1	1
Process32NextW May 21, 2021, 11:02 a.m.	snapshot_handle: 0x00000180 process_name: pw.exe process_identifier: 4368	1	1
Process32NextW May 21, 2021, 11:02 a.m.	snapshot_handle: 0x00000194 process_name: cmd.exe process_identifier: 8264	1	1
Process32NextW May 21, 2021, 11:02 a.m.	snapshot_handle: 0x00000194 process_name: conhost.exe process_identifier: 3916	1	1
Process32NextW May 21, 2021, 11:02 a.m.	snapshot_handle: 0x00000194 process_name: pw.exe process_identifier: 8572	1	1
Process32NextW May 21, 2021, 11:02 a.m.	snapshot_handle: 0x00000198 process_name: cmd.exe process_identifier: 6744	1	1
Process32NextW May 21, 2021, 11:02 a.m.	snapshot_handle: 0x00000198 process_name: conhost.exe process_identifier: 8300	1	1
Process32NextW May 21, 2021, 11:02 a.m.	snapshot_handle: 0x00000198 process_name: pw.exe process_identifier: 8408	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 21, 2021, 11 a.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x026f0000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00414000', u'virtual_address': u'0x000a7000', u'entropy': 7.965899651237585, u'name': u'.rdata', u'virtual_size': u'0x004133a2'}

entropy

7.96589965124

description

A section with a high entropy has been found

entropy

0.84602917342

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (2 events)

process	thunderbird.exe
process	pw.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 127 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000170 process_name: sl4Ɯ process_identifier: 232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000180 process_name: 2﷐˴㱴眽㲣眽⏴畕 process_identifier: 232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000178 process_name: 2﷐˴㱴眽㲣眽⏴畕 process_identifier: 232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000188 process_name: sl4ɡ process_identifier: 232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: sl4ʢ process_identifier: 232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000188 process_name: sl4ˣ process_identifier: 232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: sl4̢ process_identifier: 232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000188 process_name: sl4͡ process_identifier: 232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: sl4Π process_identifier: 232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000188 process_name: sl4ϟ process_identifier: 232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: sl4О process_identifier: 232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000188 process_name: sl4ѝ process_identifier: 232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: sl4Ҝ process_identifier: 232		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000188 process_name: 364ә process_identifier: 996		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: 2﷌̄㱴眽㲣眽⏨璥 process_identifier: 4636		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000188 process_name: 2﷌̄㱴眽㲣眽⏨璥 process_identifier: 4636		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: 2﷌̄㱴眽㲣眽⏨璥 process_identifier: 4636		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000188 process_name: 2﷌̄㱴眽㲣眽⏨璥 process_identifier: 4636		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: 364؎ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000188 process_name: 364ى process_identifier: 996		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: 364ڄ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x00000188 process_name: 364ڿ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11 a.m.	snapshot_handle: 0x0000018c process_name: 364ۺ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: 364ܵ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 364ݰ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: 2﷌̄㱴眽㲣眽⏨璥 process_identifier: 8956		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 2﷌̄㱴眽㲣眽⏨璥 process_identifier: 8956		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: 2﷌̄㱴眽㲣眽⏨璥 process_identifier: 8956		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 2﷌̄㱴眽㲣眽⏨璥 process_identifier: 8956		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: 364࢟ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 364ࣘ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: 364ऑ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 364ॊ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000180 process_name: 364ঃ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: 2﷐˴㱴眽㲣眽⏴畕 process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x0000018c process_name: 2﷐˴㱴眽㲣眽⏴畕 process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: 364ਬ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000180 process_name: 364੥ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: 2﷌̄㱴眽㲣眽⏨璥 process_identifier: 4716		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000180 process_name: 2﷌̄㱴眽㲣眽⏨璥 process_identifier: 4716		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: 2﷌̄㱴眽㲣眽⏨璥 process_identifier: 4716		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000180 process_name: 2﷌̄㱴眽㲣眽⏨璥 process_identifier: 4716		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: 364ஊ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000180 process_name: 364௃ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: 364௼ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000180 process_name: 364వ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: 364౮ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000180 process_name: 364ಧ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000188 process_name: 364ೠ process_identifier: 996		0	0
Process32NextW May 21, 2021, 11:01 a.m.	snapshot_handle: 0x00000180 process_name: 2﷌̄㱴眽㲣眽⏨璥 process_identifier: 1160		0	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Mikey.106224
FireEye	Generic.mg.1973e37ebcef7d29
CAT-QuickHeal	Trojan.Multi
McAfee	GenericRXAA-AA!1973E37EBCEF
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
AegisLab	Trojan.Multi.Generic.4!c
K7AntiVirus	Trojan ( 005246d51 )
BitDefender	Gen:Variant.Mikey.106224
K7GW	Trojan ( 005246d51 )
CrowdStrike	win/malicious_confidence_90% (W)
BitDefenderTheta	Gen:NN.ZexaF.34690.@t0@aCrNS6cb
Cyren	W32/Agent.EW.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.FlyStudio.AA potentially unwanted
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Win32/WsGame.28d0abb8
Ad-Aware	Gen:Variant.Mikey.106224
Emsisoft	Gen:Variant.Mikey.106224 (B)
Comodo	TrojWare.Win32.Agent.OSCF@5rs7jr
DrWeb	Trojan.PWS.Wsgame.53822
Zillya	Trojan.Generic.Win32.1393518
TrendMicro	TROJ_GEN.R002C0WDR21
McAfee-GW-Edition	BehavesLike.Win32.Dropper.rc
Sophos	Generic PUA KM (PUA)
GData	Gen:Variant.Mikey.106224
Jiangmin	TrojanDropper.Binder.avs
MaxSecure	Trojan.Malware.7164915.susgen
Avira	TR/PSW.WsGame.cjfbx
MAX	malware (ai score=100)
Arcabit	Trojan.Mikey.D19EF0
ZoneAlarm	HEUR:Trojan.Win32.Generic
Microsoft	Trojan:Win32/Tiggre!rfn
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Black.R135897
Acronis	suspicious
VBA32	BScope.Trojan.Downloader
ALYac	Gen:Variant.Mikey.106224
Malwarebytes	Trojan.MalPack.FlyStudio
TrendMicro-HouseCall	TROJ_GEN.R002C0WDR21
Rising	Stealer.Agent!1.D531 (CLOUD)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_100%
Fortinet	W32/CoinMiner.ELG!tr.pws
Webroot	W32.Trojan.Kazy
AVG	Win32:MalwareX-gen [Trj]

360diao.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All