popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

up.exe

NPKI Malicious Packer GIF Format PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 30, 2022, 10:03 a.m. June 30, 2022, 10:06 a.m.
Size 9.8MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 20a89280ef6d5930572f1da62c770b3f
SHA256 d15c52b2289c24066bb3cea9f822f080b028636b223590606a2d1c479b59b96c
CRC32 7F9CE0BE
ssdeep 98304:sZBFgb+AqHU+DTwl9zOHz7t1Q5RRlWY9HJ3CChZfYQmG/dhY97s5npS+:sFgb+A4U4TIqY5BZdwnGlhmA5nI+
Yara
  • IsPE32 - (no description)
  • NPKI_Zero - File included NPKI
  • Malicious_Packer_Zero - Malicious Packer
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
1717mu.1000uc.com
A 47.246.29.16
CNAME 1717mu.1000uc.com.w.kunlungr.com
A 47.246.29.10
A 47.246.29.11
A 47.246.29.12
A 47.246.29.9
A 47.246.29.13
A 47.246.29.14
A 47.246.29.15
163.181.22.211
jq.727mu.com
A 61.147.93.44
61.147.93.44
IP Address Status Action
164.124.101.2 Active Moloch
47.246.29.16 Active Moloch
61.147.93.44 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section
section .adata
packer ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov
resource name EXEFILE
resource name FLASH
resource name WAVE
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
up+0x9776 @ 0x31729776
0x7efde000

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 1638028
registers.edi: 0
registers.eax: 1638028
registers.ebp: 1638108
registers.edx: 0
registers.ebx: 829589168
registers.esi: 1638180
registers.ecx: 7
1 0 0

__exception__

 stacktrace: 
up+0x9776 @ 0x31729776
0x7efde000

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 1638028
registers.edi: 0
registers.eax: 1638028
registers.ebp: 1638108
registers.edx: 0
registers.ebx: 829589168
registers.esi: 1638180
registers.ecx: 7
1 0 0

__exception__

 stacktrace: 
up+0x36730 @ 0x31756730
up+0x36634 @ 0x31756634
up+0x5dc77 @ 0x3177dc77
up+0x5d957 @ 0x3177d957
up+0x650e8 @ 0x317850e8
up+0xb98228 @ 0x322b8228
0x7efde000

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 1637216
registers.edi: 1637388
registers.eax: 1637216
registers.ebp: 1637296
registers.edx: 0
registers.ebx: 81806884
registers.esi: 830919568
registers.ecx: 7
1 0 0

__exception__

 stacktrace: 
up+0x36730 @ 0x31756730
up+0x36634 @ 0x31756634
up+0x5dc77 @ 0x3177dc77
up+0x5d957 @ 0x3177d957
up+0x650e8 @ 0x317850e8
up+0xb98228 @ 0x322b8228
0x7efde000

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 1637216
registers.edi: 1637388
registers.eax: 1637216
registers.ebp: 1637296
registers.edx: 0
registers.ebx: 81806884
registers.esi: 830919588
registers.ecx: 7
1 0 0

__exception__

 stacktrace: 
up+0x36730 @ 0x31756730
up+0x36634 @ 0x31756634
up+0x5dc77 @ 0x3177dc77
up+0x5d957 @ 0x3177d957
up+0x650e8 @ 0x317850e8
up+0xb98228 @ 0x322b8228
0x7efde000

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 1637216
registers.edi: 1637388
registers.eax: 1637216
registers.ebp: 1637296
registers.edx: 0
registers.ebx: 81806884
registers.esi: 830919608
registers.ecx: 7
1 0 0

__exception__

 stacktrace: 
up+0x36730 @ 0x31756730
up+0x36634 @ 0x31756634
up+0x5dc77 @ 0x3177dc77
up+0x5d957 @ 0x3177d957
up+0x650e8 @ 0x317850e8
up+0xb98228 @ 0x322b8228
0x7efde000

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 1637228
registers.edi: 1637400
registers.eax: 1637228
registers.ebp: 1637308
registers.edx: 0
registers.ebx: 81806884
registers.esi: 830919628
registers.ecx: 7
1 0 0

__exception__

 stacktrace: 
up+0x36730 @ 0x31756730
up+0x36634 @ 0x31756634
up+0x5dc77 @ 0x3177dc77
up+0x5d957 @ 0x3177d957
up+0x650e8 @ 0x317850e8
up+0xb98228 @ 0x322b8228
0x7efde000

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x760cb727
registers.esp: 1637228
registers.edi: 1637400
registers.eax: 1637228
registers.ebp: 1637308
registers.edx: 0
registers.ebx: 81806884
registers.esi: 830919648
registers.ecx: 7
1 0 0
request GET http://1717mu.1000uc.com/gg.htm
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01c60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 368640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01cc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00410000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00420000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00430000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01c60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01c70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01c80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01c90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ca0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01cb0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01fe0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02300000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02310000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02320000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02330000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02340000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02350000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02360000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02370000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02380000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02390000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02400000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02410000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02420000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02430000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02440000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02450000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02460000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02470000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02480000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02490000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 3346958
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 0
sectors_per_cluster: 0
bytes_per_sector: 0
root_path: D:
total_number_of_clusters: 0
0 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 13709099008
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0
name EXEFILE language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00a553ac size 0x0000bb84
name EXEFILE language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00a553ac size 0x0000bb84
name EXEFILE language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00a553ac size 0x0000bb84
name EXEFILE language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00a553ac size 0x0000bb84
name EXEFILE language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00a553ac size 0x0000bb84
name EXEFILE language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00a553ac size 0x0000bb84
name EXEFILE language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00a553ac size 0x0000bb84
name EXEFILE language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00a553ac size 0x0000bb84
name EXEFILE language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00a553ac size 0x0000bb84
name EXEFILE language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00a553ac size 0x0000bb84
name FLASH language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00a60f30 size 0x00001900
name WAVE language LANG_CHINESE filetype empty sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00a62830 size 0x00000f80
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00b9a27c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00b9a27c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00b9a27c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00b9a27c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00b9a27c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00b9a27c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00b9a27c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00b9a27c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00b9a27c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00b9a27c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00b9a27c size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00b9a27c size 0x00000468
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00b9a1cc size 0x000000ae
file C:\Users\test22\Desktop\up.lnk
file C:\Users\test22\Desktop\up.lnk
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef70000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0007f600', u'virtual_address': u'0x00001000', u'entropy': 7.999669839477571, u'name': u'', u'virtual_size': u'0x00154000'} entropy 7.99966983948 description A section with a high entropy has been found
section {u'size_of_data': u'0x00007a00', u'virtual_address': u'0x00155000', u'entropy': 7.995037126848417, u'name': u'', u'virtual_size': u'0x00011000'} entropy 7.99503712685 description A section with a high entropy has been found
section {u'size_of_data': u'0x00003200', u'virtual_address': u'0x00174000', u'entropy': 7.986735149338308, u'name': u'', u'virtual_size': u'0x00004000'} entropy 7.98673514934 description A section with a high entropy has been found
section {u'size_of_data': u'0x0000b000', u'virtual_address': u'0x0017a000', u'entropy': 7.995904653359212, u'name': u'', u'virtual_size': u'0x00015000'} entropy 7.99590465336 description A section with a high entropy has been found
section {u'size_of_data': u'0x00457c00', u'virtual_address': u'0x0018f000', u'entropy': 7.99971098628668, u'name': u'', u'virtual_size': u'0x00a0a000'} entropy 7.99971098629 description A section with a high entropy has been found
section {u'size_of_data': u'0x00054000', u'virtual_address': u'0x00b99000', u'entropy': 7.831454047616892, u'name': u'.data', u'virtual_size': u'0x00054000'} entropy 7.83145404762 description A section with a high entropy has been found
entropy 0.999907063197 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE
registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\DiskVBOX_HARDDISK___________________________1.0_____
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000003d0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
Time & API Arguments Status Return Repeated

SetWindowsHookExW

 thread_identifier: 0
callback_function: 0x00000000ff8cae10
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00000000ff820000
1 1376499 0
process: potential process injection target explorer.exe
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 76 (SystemFirmwareTableInformation)
3221225507 0
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Application.Graftor.750661
FireEye Generic.mg.20a89280ef6d5930
Malwarebytes Malware.Heuristic.1003
Sangfor [ASPROTECT V2.X REGISTERED -> ALEXEY SOLODOVNIKOV]
Alibaba Packed:Win32/Asprotect.d5f40e68
Cybereason malicious.0ef6d5
BitDefenderTheta Gen:NN.ZexaF.34742.@RZaaaYM30lb
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Packed.Asprotect.HX
APEX Malicious
Cynet Malicious (score: 99)
BitDefender Gen:Variant.Application.Graftor.750661
Avast FileRepMalware [Misc]
Ad-Aware Gen:Variant.Application.Graftor.750661
Emsisoft Gen:Variant.Application.Graftor.750661 (B)
Sophos Generic ML PUA (PUA)
SentinelOne Static AI - Suspicious PE
Avira HEUR/AGEN.1212664
Microsoft Program:Win32/Wacapew.C!ml
GData Gen:Variant.Application.Graftor.750661
VBA32 TScope.Malware-Cryptor.SB
ALYac Gen:Variant.Application.Graftor.750661
Yandex Trojan.GenAsa!XHPWPUxbPWE
MAX malware (ai score=76)
AVG FileRepMalware [Misc]
CrowdStrike win/malicious_confidence_100% (D)