popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

chkds.dll

Generic Malware Malicious Library UPX PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Dec. 12, 2022, 3:21 p.m. Dec. 12, 2022, 3:21 p.m.
Size 707.0KB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 775fb391db27e299af08933917a3acda
SHA256 2d50b03a92445ba53ae147d0b97c494858c86a56fe037c44bc0edabb902420f7
CRC32 0442951E
ssdeep 12288:mSr91kIy1bQYZEEDBK515C4sDOIKVQWalJ4+PzOhgxgyag9HEGZ5zi2AGv/:mSr9Ny1zY5CzIanfPXgQtZ5ziRK
Yara
  • Generic_Malware_Zero - Generic Malware
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • IsDLL - (no description)
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x100ae000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73660000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73551000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73514000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x100ae000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73660000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x734c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73484000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bf1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75bf1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73be1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x100ae000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73660000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73551000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73514000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bf1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x100ae000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73660000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x734c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73484000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c11000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000010c
process_name: mobsync.exe
process_identifier: 2284
1 1 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: pw.exe
process_identifier: 2332
1 1 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: sdclt.exe
process_identifier: 2392
1 1 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: rundll32.exe
process_identifier: 2560
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 262144
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00431000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00075000', u'virtual_address': u'0x00039000', u'entropy': 7.165668611702438, u'name': u'.data', u'virtual_size': u'0x00074f87'} entropy 7.1656686117 description A section with a high entropy has been found
entropy 0.674351585014 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000010c
process_name: rundll32.exe
process_identifier: 2560
0 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: rundll32.exe
process_identifier: 2560
0 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: rundll32.exe
process_identifier: 2560
0 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: rundll32.exe
process_identifier: 2560
0 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: rundll32.exe
process_identifier: 2560
0 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: rundll32.exe
process_identifier: 2560
0 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: rundll32.exe
process_identifier: 2560
0 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: rundll32.exe
process_identifier: 2560
0 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: rundll32.exe
process_identifier: 2560
0 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: rundll32.exe
process_identifier: 2560
0 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: rundll32.exe
process_identifier: 2560
0 0
Time & API Arguments Status Return Repeated

FindWindowW

 class_name: OLLYDBG
window_name:
0 0

FindWindowW

 class_name: WinDbgFrameClass
window_name:
0 0
Lionic Trojan.Win32.Androm.m!c
Elastic malicious (high confidence)
DrWeb Trojan.Siggen18.58608
MicroWorld-eScan Gen:Variant.Lazy.253006
FireEye Gen:Variant.Lazy.253006
ALYac Gen:Variant.Lazy.253006
Malwarebytes Malware.AI.3649722157
Zillya Backdoor.Androm.Win32.82281
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Backdoor:Win32/Androm.87889e06
K7GW Trojan ( 0059941c1 )
K7AntiVirus Trojan ( 0059941c1 )
Arcabit Trojan.Lazy.D3DC4E
BitDefenderTheta Gen:NN.ZedlaF.36106.Sq6@aqQX5Mji
VirIT Trojan.Win32.Genus.DLQF
Cyren W32/ABRisk.KHHY-3769
Symantec Trojan Horse
ESET-NOD32 a variant of Win32/GenCBL.CUK
TrendMicro-HouseCall TROJ_GEN.R03FC0DJN22
Cynet Malicious (score: 99)
Kaspersky HEUR:Backdoor.Win32.Androm.gen
BitDefender Gen:Variant.Lazy.253006
NANO-Antivirus Trojan.Win32.Androm.jtcotu
Avast Win32:BackdoorX-gen [Trj]
Tencent Win32.Backdoor.Androm.Uwhl
Ad-Aware Gen:Variant.Lazy.253006
Emsisoft MalCert-S.PZ (A)
Comodo Malware@#2fasj3ho2cp4a
VIPRE Gen:Variant.Lazy.253006
TrendMicro TROJ_GEN.R03FC0DJN22
McAfee-GW-Edition Artemis!Trojan
Sophos Generic ML PUA (PUA)
Ikarus Trojan.Win32.Generic
Jiangmin Backdoor.Androm.bdrw
Webroot W32.Trojan.Gen
Avira BDS/Androm.kiiwe
Antiy-AVL Trojan/Win32.GenCBL
Kingsoft Win32.Troj.Generic.jm.(kcloud)
Microsoft Trojan:Win32/Androm!MTB
GData Gen:Variant.Lazy.253006
Google Detected
AhnLab-V3 Trojan/Win.Generic.C5283608
McAfee Artemis!775FB391DB27
APEX Malicious
Rising Trojan.MalCert!1.E0E5 (CLASSIC)
MAX malware (ai score=88)
Fortinet W32/PossibleThreat
AVG Win32:BackdoorX-gen [Trj]
Panda Trj/Chgt.AA