popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sat1_0609_2.dll

OS Processor Check PE32 PE File DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 10, 2021, 10:35 p.m. June 10, 2021, 10:45 p.m.
Size 513.0KB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 1e2385b6c669ba98831b97915f6aceba
SHA256 337a487f1cb8f16200a5d14cac1dac3478e95cf3077b3872d319970131bea702
CRC32 BB4BF649
ssdeep 6144:rCqCGToDHEHD7pPV25vyGOZYjbLvD6RVioO6gZ6xv4hCZWrVcXRYpmPBOA:uTGTGkn5gqufLvDcVzPR0kWA
Yara
  • PE_Header_Zero - PE File Signature
  • IsDLL - (no description)
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
114.7.240.222 Active Moloch
172.217.25.14 Active Moloch
178.72.192.20 Active Moloch
180.178.106.50 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49812 -> 178.72.192.20:443 2404307 ET CNC Feodo Tracker Reported CnC Server group 8 A Network Trojan was detected
TCP 192.168.56.102:49813 -> 180.178.106.50:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 180.178.106.50:443 -> 192.168.56.102:49813 2011540 ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) Not Suspicious Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49813
180.178.106.50:443 		C=AU, ST=Some-State, O=Internet Widgits Pty Ltd C=AU, ST=Some-State, O=Internet Widgits Pty Ltd 57:a5:47:89:03:bd:10:1a:51:a8:68:ac:ea:f3:b9:47:d1:31:e5:c7

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
packer Armadillo v1.xx - v2.xx
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x72e26d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x77211278
RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x771d9a5a
RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76e8b5e7
stacktrace+0x1d1 memdup-0x62 @ 0x72e105bd
hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea
New_kernel32_GetSystemTimeAsFileTime+0x1d New_kernel32_GetSystemWindowsDirectoryA-0x8d @ 0x72e1bdb5
0x11f083
0xbdc48
0x1299f8
0xbdca0

exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c
exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a
exception.instruction: mov rax, qword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 105050
exception.address: 0x771d9a5a
registers.r14: 0
registers.r15: 780016
registers.rcx: 0
registers.rsi: 777288
registers.r10: 0
registers.rbx: 848771752
registers.rsp: 777280
registers.r11: 0
registers.r8: 5
registers.r9: 1927995136
registers.rdx: 2
registers.r12: 1994795888
registers.rbp: 0
registers.rdi: 780008
registers.rax: 1
registers.r13: 1147624
1 0 0
suspicious_features Connection to IP address suspicious_request GET https://180.178.106.50/sat1/TEST22-PC_W617601.5D67FB324A9D0823B317377F32B3F2A7/5/file/
request GET https://180.178.106.50/sat1/TEST22-PC_W617601.5D67FB324A9D0823B317377F32B3F2A7/5/file/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3588
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10025000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3588
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x756a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3588
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73861000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3588
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3588
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3588
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e80000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3588
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73771000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3588
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72da4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3588
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3588
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e01000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3588
region_size: 233472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00390000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3588
region_size: 274432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02270000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3588
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a60000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3588
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10000000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 3588
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a70000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3588
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a71000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3588
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3588
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d50000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3588
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
description wermgr.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
name RT_CURSOR language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x0007a1f8 size 0x000000b4
name RT_CURSOR language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x0007a1f8 size 0x000000b4
name RT_BITMAP language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x0007abd0 size 0x00000144
name RT_BITMAP language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x0007abd0 size 0x00000144
name RT_BITMAP language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x0007abd0 size 0x00000144
name RT_BITMAP language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x0007abd0 size 0x00000144
name RT_BITMAP language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x0007abd0 size 0x00000144
name RT_BITMAP language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x0007abd0 size 0x00000144
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_ICON language LANG_KOREAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_KOREAN offset 0x000404c0 size 0x00000468
name RT_DIALOG language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x0007a8c0 size 0x000000e8
name RT_DIALOG language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x0007a8c0 size 0x000000e8
name RT_DIALOG language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x0007a8c0 size 0x000000e8
cmdline C:\Windows\system32\cmd.exe
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3588
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00661000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x00047000', u'virtual_address': u'0x00035000', u'entropy': 7.783665740774746, u'name': u'.rsrc', u'virtual_size': u'0x000469b8'} entropy 7.78366574077 description A section with a high entropy has been found
entropy 0.568 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 8752
process_handle: 0x0000011c
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 8752
process_handle: 0x0000011c
1 0 0
host 114.7.240.222
host 172.217.25.14
host 178.72.192.20
host 180.178.106.50
Symantec Trojan.Gen.2
ESET-NOD32 a variant of Win32/Kryptik.HLHF
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.GenericKD.37074831
Avast Win32:DangerousSig [Trj]
McAfee-GW-Edition Artemis!Trojan
FireEye Trojan.GenericKD.37074831
MAX malware (ai score=84)
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Microsoft Trojan:Win32/Wacatac.B!ml
GData Win32.Trojan.Kryptik.Q0NRGS
McAfee Artemis!1E2385B6C669
Malwarebytes Trojan.Dropper
Ikarus Trojan.Win32.Generic
Fortinet Malicious_Behavior.SB
AVG Win32:DangerousSig [Trj]
dead_host 114.7.240.222:443
dead_host 178.72.192.20:443