Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 12, 2021, 2:46 p.m.	Sept. 12, 2021, 3:11 p.m.

Size	318.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`3f22bd82ee1b38f439e6354c60126d6d`
SHA256	`265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a`
CRC32	`BE70020F`
ssdeep	`6144:ej4R3H20xSWLE2Sgct82tCOcfX+A5yF17s:ejcG72Et8Vf81`
Yara	Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library

NiceProcessX64.bmp "C:\Users\test22\AppData\Local\Temp\NiceProcessX64.bmp"
2236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

A process attempted to delay the analysis task. (1 event)

description

NiceProcessX64.bmp tried to sleep 130 seconds, actually delayed analysis time by 99 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (39 events)

Time & API	Arguments	Status	Return
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: mobsync.exe process_identifier: 1684	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 888	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: wsqmcons.exe process_identifier: 2032	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: sdclt.exe process_identifier: 2560	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: sppsvc.exe process_identifier: 2988	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: taskhost.exe process_identifier: 2340	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: schtasks.exe process_identifier: 248	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 1100	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2516	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2484	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: SearchProtocolHost.exe process_identifier: 2620	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: NiceProcessX64.bmp process_identifier: 2236	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: SearchFilterHost.exe process_identifier: 180	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2828	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1088	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2220	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2176	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 2168	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2316	1	1
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2332	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2412	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2408	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 2760	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2400	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 240	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 816	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 3056	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 3064	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 3008	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2840	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 1464	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 2136	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 1956	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 2444	1	1
Process32NextW Sept. 12, 2021, 2:40 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 2972	1	1
Process32NextW Sept. 12, 2021, 2:41 p.m.	snapshot_handle: 0x0000000000000028 process_name: cmd.exe process_identifier: 2584	1	1
Process32NextW Sept. 12, 2021, 2:41 p.m.	snapshot_handle: 0x0000000000000028 process_name: conhost.exe process_identifier: 1280	1	1
Process32NextW Sept. 12, 2021, 2:41 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 564	1	1

Expresses interest in specific running processes (1 event)

process

niceprocessx64.bmp

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 1304 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0
Process32NextW Sept. 12, 2021, 2:39 p.m.	snapshot_handle: 0x0000000000000028 process_name: pw.exe process_identifier: 1260		0	0

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

FireEye	Generic.mg.3f22bd82ee1b38f4
ALYac	Gen:Variant.Cerbu.112632
Cybereason	malicious.18f86e
APEX	Malicious
McAfee-GW-Edition	BehavesLike.Win64.Injector.fh
SentinelOne	Static AI - Suspicious PE
Jiangmin	Backdoor.Androm.qhp
MaxSecure	Trojan.Malware.300983.susgen
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 100)
McAfee	Artemis!3F22BD82EE1B

NiceProcessX64.bmp

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All