Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 2:34 p.m.	June 25, 2021, 2:37 p.m.

Size	497.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a44a654c5d0f1673322f3ccdaffcaaca`
SHA256	`352c79c680d2c4f465128040357b366bb52eaa7cf220a253dbf3362a47bc2982`
CRC32	`92C03AFD`
ssdeep	`12288:bRBM/siiYMqReP+58lxwxW7l17l8rslOTQ/q7l4Npl:bR1YM+ePBlxwcYr9TIq63l`
Yara	VMProtect_Zero - VMProtect packed file ASPack_Zero - ASPack packed file IsPE32 - (no description) PE_Header_Zero - PE File Signature

08018.HOME "C:\Users\test22\AppData\Local\Temp\08018.HOME"
7388

Name	Response	Post-Analysis Lookup
localsupport.ijinshan.com	A 127.0.0.1	127.0.0.1

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.vmp0
section	.vmp1
section	.vmp2

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

RAW

Allocates read-write-execute memory (usually to unpack itself) (48 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03630000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:34 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:35 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:35 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:35 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:35 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:35 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03eb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:35 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03eb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:35 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:35 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:35 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:35 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:35 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:35 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:36 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 2:36 p.m.	process_identifier: 7388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

08018.HOME tried to sleep 813 seconds, actually delayed analysis time by 813 seconds

Foreign language identified in PE resource (3 events)

name

RAW

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b2428

size

0x00011808

name

RAW

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b2428

size

0x00011808

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000a1120

size

0x000001a4

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 events)

Time & API	Arguments	Status	Return
Process32NextW June 25, 2021, 2:34 p.m.	snapshot_handle: 0x00000278 process_name: pw.exe process_identifier: 900	1	1
Process32NextW June 25, 2021, 2:34 p.m.	snapshot_handle: 0x000002ac process_name: cmd.exe process_identifier: 3752	1	1
Process32NextW June 25, 2021, 2:34 p.m.	snapshot_handle: 0x000002bc process_name: cmd.exe process_identifier: 8400	1	1
Process32NextW June 25, 2021, 2:34 p.m.	snapshot_handle: 0x000002bc process_name: conhost.exe process_identifier: 1660	1	1
Process32NextW June 25, 2021, 2:34 p.m.	snapshot_handle: 0x000002bc process_name: pw.exe process_identifier: 7816	1	1
Process32NextW June 25, 2021, 2:35 p.m.	snapshot_handle: 0x000002a0 process_name: cmd.exe process_identifier: 8168	1	1
Process32NextW June 25, 2021, 2:35 p.m.	snapshot_handle: 0x000002a0 process_name: conhost.exe process_identifier: 2644	1	1
Process32NextW June 25, 2021, 2:35 p.m.	snapshot_handle: 0x00000220 process_name: cmd.exe process_identifier: 9024	1	1
Process32NextW June 25, 2021, 2:35 p.m.	snapshot_handle: 0x00000224 process_name: cmd.exe process_identifier: 1756	1	1
Process32NextW June 25, 2021, 2:35 p.m.	snapshot_handle: 0x00000224 process_name: pw.exe process_identifier: 4780	1	1
Process32NextW June 25, 2021, 2:35 p.m.	snapshot_handle: 0x0000016c process_name: pw.exe process_identifier: 4788	1	1
Process32NextW June 25, 2021, 2:35 p.m.	snapshot_handle: 0x000002ac process_name: pw.exe process_identifier: 3980	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0007b800', u'virtual_address': u'0x000dd000', u'entropy': 7.938654805415359, u'name': u'.vmp2', u'virtual_size': u'0x0007b6c8'}

entropy

7.93865480542

description

A section with a high entropy has been found

entropy

0.995967741935

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 25, 2021, 2:34 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 2:34 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 25, 2021, 2:34 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (13 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 25, 2021, 2:34 p.m.	snapshot_handle: 0x00000264 process_name: process_identifier: 0		0	0
Process32NextW June 25, 2021, 2:34 p.m.	snapshot_handle: 0x000002a0 process_name: process_identifier: 0		0	0
Process32NextW June 25, 2021, 2:34 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 0		0	0
Process32NextW June 25, 2021, 2:34 p.m.	snapshot_handle: 0x000002b4 process_name: process_identifier: 0		0	0
Process32NextW June 25, 2021, 2:34 p.m.	snapshot_handle: 0x000002a0 process_name: process_identifier: 0		0	0
Process32NextW June 25, 2021, 2:35 p.m.	snapshot_handle: 0x000002c0 process_name: process_identifier: 0		0	0
Process32NextW June 25, 2021, 2:35 p.m.	snapshot_handle: 0x000002c0 process_name: process_identifier: 0		0	0
Process32NextW June 25, 2021, 2:35 p.m.	snapshot_handle: 0x0000013c process_name: process_identifier: 0		0	0
Process32NextW June 25, 2021, 2:35 p.m.	snapshot_handle: 0x00000220 process_name: process_identifier: 0		0	0
Process32NextW June 25, 2021, 2:35 p.m.	snapshot_handle: 0x0000016c process_name: process_identifier: 0		0	0
Process32NextW June 25, 2021, 2:35 p.m.	snapshot_handle: 0x00000224 process_name: process_identifier: 0		0	0
Process32NextW June 25, 2021, 2:36 p.m.	snapshot_handle: 0x00000224 process_name: process_identifier: 0		0	0
Process32NextW June 25, 2021, 2:36 p.m.	snapshot_handle: 0x000002a8 process_name: process_identifier: 0		0	0

The executable is likely packed with VMProtect (3 events)

section	.vmp0	description	Section name indicates VMProtect
section	.vmp1	description	Section name indicates VMProtect
section	.vmp2	description	Section name indicates VMProtect

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation

Attempts to disable browser security warnings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving

Modifies proxy autoconfiguration settings possibly for traffic interception (50 out of 1893 events)

Time & API	Arguments	Status
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x00000298 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a4 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a4 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a8 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a4 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a4 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a4 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a4 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a4 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a4 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a4 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a4 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002ac regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002ac regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a8 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a0 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a8 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a8 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a8 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1
RegSetValueExA June 25, 2021, 2:34 p.m.	key_handle: 0x000002a8 regkey_r: AutoConfigURL reg_type: 1 (REG_SZ) value: regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL	1

Expresses interest in specific running processes (1 event)

process: potential process injection target

svchost.exe

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen13.58897
MicroWorld-eScan	Trojan.GenericKD.46510536
FireEye	Generic.mg.a44a654c5d0f1673
McAfee	RDN/Generic Exploit
Cylance	Unsafe
Sangfor	Exploit.Win32.Shellcode.achb
Alibaba	Exploit:Win32/Shellcode.fa097406
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZexaF.34758.FG0@aKdRytaj
Cyren	W32/Trojan.CAFO-1070
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Exploit.Win32.Shellcode.achb
BitDefender	Trojan.GenericKD.46510536
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKD.46510536
Emsisoft	Trojan.GenericKD.46510536 (B)
TrendMicro	TROJ_GEN.R01FC0PFK21
McAfee-GW-Edition	BehavesLike.Win32.AutoitDropper.gc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
MAX	malware (ai score=84)
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Caynamer.A!ml
AegisLab	Trojan.Win32.Malicious.4!c
ZoneAlarm	Exploit.Win32.Shellcode.achb
GData	Trojan.GenericKD.46510536
Cynet	Malicious (score: 100)
AhnLab-V3	Win-Trojan/Malpacked3.Gen
VBA32	BScope.Exploit.Shellcode
Malwarebytes	Malware.AI.4195055361
TrendMicro-HouseCall	TROJ_GEN.R01FC0PFK21
Rising	Trojan.Generic@ML.80 (RDML:Qesq9yqSE7DCRrrZF0s68g)
eGambit	Unsafe.AI_Score_99%
Fortinet	PossibleThreat.PALLAS.H
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:Malware-gen
Cybereason	malicious.6e3732
Panda	Trj/CI.A

08018.HOME

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All