popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

4c6b7cd617a0dcf2d783efd0d73e87ee.exe

Gen1 Generic Malware PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 10, 2021, 9:04 a.m. July 10, 2021, 9:10 a.m.
Size 712.6KB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 c9fa1e8906a247f5bea95fe6851a8628
SHA256 673453fec6e11175bf0a749c94594c22a886d2f287e9648b51aa305b17109ffd
CRC32 A0517FD6
ssdeep 12288:CcXe9SLN+NH0khUZY+vcvw1bG8QYewwB9gL1xBhiJZcaFh:CcO2Q2ZYuaoel9gLHBhyZcaj
Yara
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet
  • Generic_Malware_Zero - Generic Malware
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen
  • PE_Header_Zero - PE File Signature

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
packer Armadillo v1.71
suspicious_features POST method with no referer header suspicious_request POST http://iw.gamegame.info/report7.4.php
suspicious_features POST method with no referer header suspicious_request POST http://ol.gamegame.info/report7.4.php
request GET http://ip-api.com/json/?fields=8198
request POST http://iw.gamegame.info/report7.4.php
request POST http://ol.gamegame.info/report7.4.php
request POST http://iw.gamegame.info/report7.4.php
request POST http://ol.gamegame.info/report7.4.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7463c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x745c0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x744d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74441000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74391000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x744d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74591000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02770000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02930000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 1052672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 380928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a60000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74551000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75821000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75081000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76ca1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ac0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
domain ip-api.com
file C:\Users\test22\AppData\Local\Temp\api-ms-win-core-string-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\api-ms-win-core-namedpipe-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\axhub.dll
file C:\Users\test22\AppData\Local\Temp\api-ms-win-core-namedpipe-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\api-ms-win-core-string-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\axhub.dll
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000120
process_name: pw.exe
process_identifier: 2168
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: taskhost.exe
process_identifier: 2220
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: sdclt.exe
process_identifier: 2228
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: cmd.exe
process_identifier: 2328
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: SearchProtocolHost.exe
process_identifier: 2336
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: conhost.exe
process_identifier: 2344
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: pw.exe
process_identifier: 2484
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: WmiPrvSE.exe
process_identifier: 2656
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: rundll32.exe
process_identifier: 2692
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: rundll32.exe
process_identifier: 2744
1 1 0
process rundll32.exe
Time & API Arguments Status Return Repeated

RegSetValueExW

 key_handle: 0x00000124
regkey_r: 1
reg_type: 3 (REG_BINARY)
value: ÁÕx4XÁåH<PÁýPwËoÜØ_µHŀµ¾HŘ¼«HcáA—@ű4^¯fZÅÊC@K°h·?ˆËjètM=…ã•ŸK£¹áü÷¶­Ãc~–¹²$ ?xÃ{a‰LÇs°Íh™$ÏüsEø½ƒç@tPAÊ]—ù¸003ú6)žÃ{¸ÍE´H±Æ·¹ÎMŽÅÉ`tÃ]žÁÍ` dÁÂGÅh™»ÿ*^ßptÃE&÷3á“ù¸€€HÃE¾(ŸÃ×x|ÃçHD(ÃÿPL ËGôqœ‹Ã ç„ÁÕx<‘Åh,]ÅáHñÉm,Àe-Ï!E`3è‚â‰.DDH‚îçLLLHÃÛHTÇÙB]ÆÉr}ÈEϋû~I*#|·@ŠNRƙPÉ7¼ˆˆBÉ„ŒŒ‰Ì*œüp:ò2z‹½ÃÎòÿ‰)øTK¸ÀL½ThÃÞêúÎRÖ±¼Ãčº[€B!ãˀ·=‹Êhêt’ªÀ4³pºÊúQiJó±x`AnóÁϕ•XžNېÅûrEN±½J¶< Çӑyc¤Š›c‰1~"yò8†zBaj ;»­¾ÊÊe©3vJÃϸ£@ÊÂUUJËCŸ…ØJәrêލ7µ‹Î*&J‰së߈!¦Aø—.‹@|2~o‘ˆNÇH<>α~¦$ËÍ‚ƒÏJKŽP{û´Ÿ®ÉÌ@Šp·OÁƒN±¾I¶?Âû¹y`§Š›eXXJ>==>§"ÍÅ ‚ƒK¸ûòÁ#ÀL¼e‰IOfïÕŠBE´kWÅÀŠL[ß±¿À ƍ¹X€@#ãې·>‰Ëiët’^õ;¡Ñ隣·ÅÀŠ8/]÷©¿ìOÃI)é1óˆÃ¸ÔðHÉEÀ_ž„ËoÄÀûí·ËkáAËGìë„ÁÕx,]ËoÜxÃrrQcõ;Q!ïFáü÷¶­ÁÍ` À6#F²$ ?xÃc9,F;—ÂÁ  ¬ˆLÇkTAFð¾õz4ÇsGRF–ŒR¹Á  ¤€èu`·ÁÍ`lÇckx»3t4ó)¼V¸õZf_>s~²½ f_>r­+Ktņ Hs⫧T½nEt}ˆ½<u¶{¸ fãÁz(bÃA²z(vÄHðf_}z*aÑàK¸óz8JÁ¹ úBZ•ÉÜPLÈE´VkÄ–‹ÊE:ø̈þ†¶JњËBéar묛ÔúÏÇr}~ñōߢ»Ïßjjgᓾ5FҐÊIƒ¶µoù´'zó»OqÀŽAʀJxrCIÊÈGENH C;áÑŒÀÖsiÌĶüËCJ€¶ÚáŽêNL‰ŽÏZ˜Êkét¾ojn_Š¾øù@Aù¸00AÊYáú6*ÃSÍEϋ_%»ÏÏzjÃ\ŸÃC‰¾(’vúˆN¸^"wr8u: Èäh¸rÅŒÁÊJÚ…E´VgÎJÖEÀE´aTÊZÒHŁKKԖ¾(’vú¯'Bî‹]WR8t²ŒÇçH˜õZf_:wweïŠK+G„èEHKøÂ>sv‹ŽŒ 7°…Eϋ ŽD}¶;´‰HřOÇP—gto»NÏÉFEB˼*ý½AÊKˆËkà@™9¤/³UE¾EwÁÇBMJ¸¶¸¹ððAN¸w¦Eâx¹  f]ú´dšKÀaðJljOMHÊBÃOfÿ¡¹‰vúBÉFLKÓ[NÏÉFEB˽ÖïÇ/€¬ˆ‹ …EϋšHŹ7ˆƒEϋŒ‹ÅBHÏå~XKȏÏ{¼Oè§Oð «p mvú…Çk¨ÍEϋü…¾Êb¤t7z3ÂE‹Îr±ÃšXÂG„ÍW«| ¸e9ìOËAÀJKÐ,k°¤€EvúÍEϋĽ´Â+g·:‰Çv´ˆ&äHƁ;{u0|Ê÷ËEҟƒEµôÍÇ/€¬ˆLÇçHdÏ ' EÀE´S¬ #¤…E´i–C€ð⿫ǁOÇH‹‰+éB¾*ÁÖouvóKôW`Ã@ƒKøºÌýqŠ])(REµhXvóóášÃ@4(äá“ù¸€€HÃ@Š¾+=OZtMŽÃ×xT8ËGôqž²Ñ«XÄ–/qÍ 666Ûqïp‚í ⁿž%ä€åÐ¥ð"+  ŽŠ¤ìJ £ %ƒËN‚…„  ÊD†š•LZ`` ‚Ž  @Aõöà!@‚“–p=NŽøô PÞÖ]81‡‰•›UH€©¤øó™“$Ս/îççÿúõ´Œ)DdƎX†–'çÔŠXÁ“™J@€€ JN¥æŽÁAFz@úÁ+êÁ„… ÉÇÀúøú:ÁÊoªÇÏÕÉ>å ì džÜïeÞˌÕ[ÒåÓcÞȓRÀ¬…iû{¶xÇK‡âØþ~oxiXŀ…ˆ@©uÌÌHHƒoÄÀï3úŒvóóášɄô„{ÀÀúëÑÀèerßҀ 'aFNÁŒÚþ"€GÌ Á·ú£Ëÿó‰©â5h~'=øÀÔ֋bhâá,Ìà3Åö"4öà!áÃ#ãÀf¾äÀà èóûCu80xÅáHhà # /"öÁ ÅE‹ œÀ2RHc˨ÅÙp0›‰»»b%ºê':’ž €“8ŒDÀŒŒHÃÆMH{þ%l˜–êaŒèuMYP¢àÍèÑôÙK{éxòcéî™zèØØãŸ(5pòm™ôg‘èÁùÑé‚hêÛ]íjîóњ°çêÚó…ç™7_½å6ááú6êQ/þUԝŒILJxµE´dPbBF&HMÄúD ³¼E@€@(• tÌ­iÈÃ'¥ì yyûzö »¯MGQELwvÁÕ\$,@ÁåH4XH‰ýP<PÁõX,(av((hň 78-ô‘ÁˆJ±êôuSPՎ á²Þ­b1s­*„KàëPىC Åö#Áo;0`8µøwdn"+@ öØ+cKCà'GŠ¹»2ÐáIÁÎÿP•,ñ¡IÁŽ%!¶+ËÜü‹A!D'}bw@Hƒmït´‰Ãçh X4ßÿPdH‹÷XlÁ ‹ Š KÁ‹H‹Ó— ®!@!`ÇDÇõ âRuE†5ñ¦¡Ã‡æbB_ÇÂ'$_ÇÏÃ×x‘ƒa!Ãv¶þŸ Q’ÃrČ¥…v5Âuy·"¸!!hÃD'⋓™Lڛ€Y"‰æGiEH<›Šˆ9xßþ·RöÈAI ˆIÃKé]P 4\AÔ!ÃÂiÏêÒQö[°ÀF-!Ll Ag¬~ú~B$ŒœVù°àó<n¡óÕÄó«z3xH0Š‹KÓI5ê¡¥!mÝ;:1º tN[‘ñy‡ê<1ãø“%[çïü´±ä´t¨uü-10Ãö4:8.—Ä÷ð ÿ†*$µËyàªHÈÂO‡ 邃 zbòu§·•éìt· Y—G¿ê ßȘP·ê†“PB+=D]\±çI·ÚÞÇ­•†Ï mÞäQj¨98#®MÊ{¸ÃaZ£elñ"ŠÆDµs»¯•ŠgXÌÿ…s‚8ÇÈK ›µ!PutËՙ/£ˆÃLJëÈd… 31Ro=GSm0Ã߇»—ë‹€¨¥+hS,µÊ$ûënŒÍ÷v€Àkψx£ŒUh)_!¾ˆ8éêÜùµEµg–MߤHHDpXÅÉ`DPt` |Áˆ1?/v`A;ÇDŸgok'ƞ<GÝy”L//h|ÁßÕ¶—E?œ›w³á!°8ÅÂàâÂĤ÷êXÿ´rf³µtX òŒ¼À!=^u[x4@ÅÒ?gsPzüßG)_@ö曟Wû º‹½uÀ ‹ÌOÈI@ÛŠápJRTÃÛC[ÃįÈ&nfNL‰Ö˜ôóŒ+4otÉËv°QCďHïê¨.ºd¯ùÆÛH@¢“3ÁÇT@´—/€ÌA¶,}líáõã‚ás÷ç#u´âO|³Òሠ§Ðz؂BÛ~ôKyÔù@/$Oh(Àð:Ƅ¨¿â­v™\’pPS+ÈókH{Žd¢#RgêêÇò ©Ôt$6ò+º¡âz^7[ôû´îççUÍW®qr`Òò¦¬UV1OíAfË+€Ž{ßûH؊)Kj‘ÞW8ow}yZKe@Ëoé%2Ë ÙAÅÁh1C/‚êA´ô‘EϐÕ|§»ýÃÓÐu71Fâ—ÞïD˜¿-ýR_À0ôïìɍó³YÊC+‡ƒJHEµ¬{1Ɔ»?„p¶óƒ´ùêÈRëzfß'êÏz LDÇï!AH(¥þ„¿ÔG ˜@K7ŒŒ€@ÇW•Àâs˜ÉÀúSwÆñjÙàŒ˜¥Ÿ-ó‰Âõ¸‰£è{¼ÇiâHÃb`Ž>8 €¹-EÍzð‹†’€AÈÊkkÓM/rQ¶¯À‰[SEÄòkUȍxtÍ+ìBGù¨±¦ô C†Ÿ™.9VHÃÎu|Ç@Ä·úemÎMŽÁ‰D`qÂ_œÅ;2vô÷ñ021³0ôÕý¤7ªE52œxòÑÎ…Žu`ZÁ—õ+ÊBÃ@#ÔìÕô•4 xD,Ü®Vi4EzB¨ÔL(^N…˜¤¦¢Ú9òþ]Š>¸~tERqÇgB¡}ðY¨8!Tÿ[HiÀiM L7à‹É-â¹ꟊP¨¦§à OÁ1+€Ãšº¶æ“ÿ$Óº`îS<$p·G%ܶ+šºŒ Àcä<Í´6ó*ãÅÌe%H@ÍL½yÏÜW9ûZ8ãZF$=€JˆIÅh,[””…™ÕHÁ™ˆ"‰*ê¿x˜ MÅí(¸¹A"{ü¤T´Å²ã[;‹(¼\l+ «ƒ€{ò‰NÐq4K¹ó5J; ì‰àEwߥÃ롅Ì$ˆFs DËC‰»ðø¥sù‹î[2€zy€uq7ó+î´µDúýɍÑ3aŠ+óCUv×Æ)O4x(ë¢_ ,%lEabFoê…û³S(IÊK…%p?+Ð[s¼ÏIŠÅ­4çX³
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{LJU50KX1-5I52-VT6Q-WSWM-U2Z9XL21ZV61}\1
1 0 0
Time & API Arguments Status Return Repeated

IWbemServices_ExecMethod

 inargs.CurrentDirectory: None
inargs.CommandLine: rUNdlL32.eXe "C:\Users\test22\AppData\Local\Temp\axhub.dll",main
inargs.ProcessStartupInformation: None
outargs.ProcessId: 2692
outargs.ReturnValue: 0
flags: 0
method: Create
class: Win32_Process
1 0 0
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
DrWeb Trojan.Inject4.13781
MicroWorld-eScan Trojan.GenericKD.46595695
FireEye Trojan.GenericKD.46595695
ALYac Trojan.GenericKD.46595695
Sangfor Trojan.Win32.PSE.1JES5ON
Alibaba Trojan:Win32/Kryptik.7726b63c
Cyren W32/Trojan.VJVU-7820
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Kryptik.HLQQ
APEX Malicious
Paloalto generic.ml
BitDefender Trojan.GenericKD.46595695
Avast Win32:MalwareX-gen [Trj]
Ad-Aware Trojan.GenericKD.46595695
Emsisoft Trojan.GenericKD.46595695 (B)
Comodo TrojWare.Win32.Agent.awpqp@0
McAfee-GW-Edition Artemis!Trojan
Sophos Mal/Generic-S
Webroot W32.Trojan.Gen
Avira TR/Crypt.Agent.woetv
Microsoft Trojan:Win32/Wacatac.B!ml
GData Win32.Trojan.PSE.13QHYFZ
Cynet Malicious (score: 99)
McAfee RDN/Generic.grp
MAX malware (ai score=83)
Malwarebytes Trojan.Crypt
Ikarus Trojan.Win32
Fortinet Malicious_Behavior.SB
AVG Win32:MalwareX-gen [Trj]
Panda Trj/RnkBend.A
CrowdStrike win/malicious_confidence_60% (W)