Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 7, 2021, 8:22 a.m.	Sept. 7, 2021, 8:38 a.m.

Size	4.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`99d66cd7da25f37b13936ce6f0f939d7`
SHA256	`3179fe15e7ff91a0e02a7a75667f8c230e95817d1ac0e0fb0f34a74d33c0b8ad`
CRC32	`A376EA71`
ssdeep	`98304:XSse110tnw6AOXu57bC4RqlrjAe8VhhSEYEniZqgE2NFE6Wq+Pw1rhWixOU2tlOk:XEyWO+57bC8CAe8TMjNHN+PI9xLoMPsZ`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer

TXGJ.exe "C:\Users\test22\AppData\Local\Temp\TXGJ.exe"
1948

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 7, 2021, 8:22 a.m.			0	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

Allocates read-write-execute memory (usually to unpack itself) (32 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73762000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 8982528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3653632 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1011a000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 782336 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0

Foreign language identified in PE resource (50 out of 51 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fbbc0

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fbbc0

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fbbc0

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc0b0

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc0b0

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc0b0

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fc0b0

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fd7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fd7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fd7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fd7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fd7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fd7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fd7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fd7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fd7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fd7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fd7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fd7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fd7b8

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fd7b8

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fedc0

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004fedc0

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500008

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500008

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500a50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500a50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500a50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500a50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500a50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500a50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500a50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500a50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500a50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500a50

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500a50

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500a9c

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500a9c

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500a9c

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500ae8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500ae8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00500ae8

size

0x00000014

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\765b71.tmp
file	C:\Users\test22\AppData\Local\Temp\765b41.tmp
file	C:\Users\test22\AppData\Local\Temp\765b81.tmp

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (29 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000188 process_name: mobsync.exe process_identifier: 1928	1	1
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000188 process_name: pw.exe process_identifier: 2668	1	1
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000188 process_name: taskhost.exe process_identifier: 200	1	1
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000188 process_name: cmd.exe process_identifier: 1768	1	1
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000188 process_name: SearchFilterHost.exe process_identifier: 2516	1	1
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000188 process_name: pw.exe process_identifier: 1548	1	1
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000188 process_name: TXGJ.exe process_identifier: 1948	1	1
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000188 process_name: schtasks.exe process_identifier: 1744	1	1
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000190 process_name: cmd.exe process_identifier: 2916	1	1
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000190 process_name: conhost.exe process_identifier: 932	1	1
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: cmd.exe process_identifier: 972	1	1
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: pw.exe process_identifier: 2272	1	1
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: cmd.exe process_identifier: 1168	1	1
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: conhost.exe process_identifier: 2308	1	1
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: pw.exe process_identifier: 2532	1	1
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: cmd.exe process_identifier: 2332	1	1
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: conhost.exe process_identifier: 508	1	1
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: conhost.exe process_identifier: 1904	1	1
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: pw.exe process_identifier: 2392	1	1
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: cmd.exe process_identifier: 2920	1	1
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: conhost.exe process_identifier: 2756	1	1
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: pw.exe process_identifier: 2808	1	1
Process32NextW Sept. 7, 2021, 8:24 a.m.	snapshot_handle: 0x00000190 process_name: cmd.exe process_identifier: 2304	1	1
Process32NextW Sept. 7, 2021, 8:24 a.m.	snapshot_handle: 0x00000190 process_name: pw.exe process_identifier: 2876	1	1
Process32NextW Sept. 7, 2021, 8:24 a.m.	snapshot_handle: 0x00000194 process_name: cmd.exe process_identifier: 728	1	1
Process32NextW Sept. 7, 2021, 8:24 a.m.	snapshot_handle: 0x00000190 process_name: conhost.exe process_identifier: 1516	1	1
Process32NextW Sept. 7, 2021, 8:24 a.m.	snapshot_handle: 0x00000190 process_name: pw.exe process_identifier: 1956	1	1
Process32NextW Sept. 7, 2021, 8:24 a.m.	snapshot_handle: 0x00000194 process_name: cmd.exe process_identifier: 2552	1	1
Process32NextW Sept. 7, 2021, 8:24 a.m.	snapshot_handle: 0x00000194 process_name: conhost.exe process_identifier: 1424	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 7, 2021, 8:22 a.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02970000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00414000', u'virtual_address': u'0x000a8000', u'entropy': 7.96587378319354, u'name': u'.rdata', u'virtual_size': u'0x00413362'}

entropy

7.96587378319

description

A section with a high entropy has been found

entropy

0.845344129555

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 126 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000180 process_name: co.ŕ process_identifier: 2140		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000190 process_name: co-Ɨ process_identifier: 2140		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000194 process_name: TX-ǐ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000190 process_name: TX-ȉ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000194 process_name: TX-ɂ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000190 process_name: TX-ɻ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000194 process_name: TX-ʲ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000190 process_name: TX-˩ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000194 process_name: TX-̠ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000190 process_name: TX-͗ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000194 process_name: TX-Ύ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000190 process_name: TX-υ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000194 process_name: TX-ϼ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000190 process_name: pw30⋔ process_identifier: 2880		0	0
Process32NextW Sept. 7, 2021, 8:22 a.m.	snapshot_handle: 0x00000194 process_name: pw3.⋣ process_identifier: 2880		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: pw30⋲ process_identifier: 2880		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: pw3.⌁ process_identifier: 2880		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: pw30⌐ process_identifier: 2880		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: TX-Ո process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: TX-ս process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: TX-ֲ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: TX-ק process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: TX-؜ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: TX-ّ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: TX-چ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: pw30⍬ process_identifier: 2272		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: pw3.⍻ process_identifier: 2272		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: pw30⎊ process_identifier: 2272		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: pw3.⎙ process_identifier: 2272		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: pw30⎨ process_identifier: 2272		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: TX-ߎ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: TX.ࠃ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000180 process_name: TX.࠷ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: TX-࡫ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: TX-ࢠ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: TX-ࣕ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: TX-ऊ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: TX-ि process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: TX-ॴ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: pw30② process_identifier: 2532		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: pw3.⑰ process_identifier: 2532		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: pw30⑿ process_identifier: 2532		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: pw3.⒎ process_identifier: 2532		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: pw30⒝ process_identifier: 2532		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: TX-઼ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: TX-૱ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: TX-ଦ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: TX-୛ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000194 process_name: TX-ஐ process_identifier: 1948		0	0
Process32NextW Sept. 7, 2021, 8:23 a.m.	snapshot_handle: 0x00000190 process_name: TX-௅ process_identifier: 1948		0	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Multi.Generic.lwj0
Elastic	malicious (high confidence)
DrWeb	Trojan.PWS.Wsgame.53822
MicroWorld-eScan	Gen:Variant.Zusy.384364
FireEye	Generic.mg.99d66cd7da25f37b
ALYac	Gen:Variant.Zusy.384364
Cylance	Unsafe
Zillya	Trojan.Generic.Win32.1476970
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005246d51 )
Alibaba	Trojan:Win32/MalwareX.d3293459
K7GW	Trojan ( 005246d51 )
Cybereason	malicious.76ebdd
BitDefenderTheta	Gen:NN.ZexaF.34126.@t0@aKaDhXpb
Cyren	W32/Agent.EW.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.FlyStudio.AA potentially unwanted
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Vmprotect-6824127-0
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Zusy.384364
NANO-Antivirus	Trojan.Win32.Wsgame.ixxbtl
Avast	Win32:MalwareX-gen [Trj]
Ad-Aware	Gen:Variant.Zusy.384364
Emsisoft	Gen:Variant.Zusy.384364 (B)
Comodo	TrojWare.Win32.Agent.OSCF@5rs7jr
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0WH121
McAfee-GW-Edition	BehavesLike.Win32.Generic.rc
Sophos	Generic PUA KH (PUA)
SentinelOne	Static AI - Malicious PE
Jiangmin	TrojanDropper.Binder.avs
Avira	PUA/Agent.ML
Antiy-AVL	Trojan/Generic.ASCommon.FA
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Malware.Win32.GenericMC.cc
Arcabit	Trojan.Zusy.D5DD6C
GData	Win32.Trojan.PSE.19Q2126
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Black.R439979
Acronis	suspicious
McAfee	GenericRXAA-FA!99D66CD7DA25
MAX	malware (ai score=81)
VBA32	BScope.Trojan.Downloader
Malwarebytes	Trojan.MalPack.FlyStudio
TrendMicro-HouseCall	TROJ_GEN.R002C0WH121
Rising	Stealer.Agent!1.D531 (CLASSIC)
Yandex	Trojan.Agent!Pg9VsjQ8tI4

TXGJ.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All