Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Dec. 12, 2022, 5:50 p.m.	Dec. 12, 2022, 5:52 p.m.

Size	629.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`64b06d9408f8681bce5821db705273ce`
SHA256	`5152a2dee24714603552cf873e34a12b8822df103336e8f0e1da5379720c7348`
CRC32	`BF55E876`
ssdeep	`12288:UiwaCECK5cldtdlEqDPylAwn46A9jmP/uhu/yMS08CkntxYRyL:ZCED5cldtdPDgAw4fmP/UDMS08Ckn35`
Yara	IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

Recipt.exe "C:\Users\test22\AppData\Local\Temp\Recipt.exe"
2996
- cmd.exe cmd.exe /c C:\Users\test22\AppData\Local\Temp\NewBitmapImage.bmp
  2224

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 12, 2022, 5:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 12, 2022, 5:50 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 12, 2022, 5:50 p.m.	computer_name: TEST22-PC	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 12, 2022, 5:50 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

CUSTOM

One or more processes crashed (18 events)

Time & API	Arguments	Status
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1636472 registers.edi: 1636660 registers.eax: 1636472 registers.ebp: 1636552 registers.edx: 0 registers.ebx: 5652376 registers.esi: 1636660 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1636472 registers.edi: 1636660 registers.eax: 1636472 registers.ebp: 1636552 registers.edx: 0 registers.ebx: 5652376 registers.esi: 1636660 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1636472 registers.edi: 1636660 registers.eax: 1636472 registers.ebp: 1636552 registers.edx: 0 registers.ebx: 5652376 registers.esi: 1636660 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1636472 registers.edi: 1636660 registers.eax: 1636472 registers.ebp: 1636552 registers.edx: 0 registers.ebx: 5652376 registers.esi: 1636660 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1634944 registers.edi: 1635132 registers.eax: 1634944 registers.ebp: 1635024 registers.edx: 0 registers.ebx: 5652376 registers.esi: 1635132 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1634916 registers.edi: 5652376 registers.eax: 1634916 registers.ebp: 1634996 registers.edx: 0 registers.ebx: 5652376 registers.esi: 5652376 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1615216 registers.edi: 5652376 registers.eax: 1615216 registers.ebp: 1615296 registers.edx: 0 registers.ebx: 5652376 registers.esi: 5652376 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1615208 registers.edi: 5652376 registers.eax: 1615208 registers.ebp: 1615288 registers.edx: 0 registers.ebx: 5652376 registers.esi: 5652376 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1615320 registers.edi: 5652376 registers.eax: 1615320 registers.ebp: 1615400 registers.edx: 0 registers.ebx: 5652376 registers.esi: 5652376 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1615212 registers.edi: 5652376 registers.eax: 1615212 registers.ebp: 1615292 registers.edx: 0 registers.ebx: 5652376 registers.esi: 5652376 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1615012 registers.edi: 5652376 registers.eax: 1615012 registers.ebp: 1615092 registers.edx: 0 registers.ebx: 5652376 registers.esi: 5652376 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1606540 registers.edi: 5652376 registers.eax: 1606540 registers.ebp: 1606620 registers.edx: 0 registers.ebx: 5652376 registers.esi: 5652376 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1613260 registers.edi: 5652376 registers.eax: 1613260 registers.ebp: 1613340 registers.edx: 0 registers.ebx: 5652376 registers.esi: 5652376 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1613260 registers.edi: 5652376 registers.eax: 1613260 registers.ebp: 1613340 registers.edx: 0 registers.ebx: 5652376 registers.esi: 5652376 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1634668 registers.edi: 5652376 registers.eax: 1634668 registers.ebp: 1634748 registers.edx: 0 registers.ebx: 5652376 registers.esi: 5652376 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635140 registers.edi: 5652376 registers.eax: 1635140 registers.ebp: 1635220 registers.edx: 0 registers.ebx: 5652376 registers.esi: 5652376 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635248 registers.edi: 5652376 registers.eax: 1635248 registers.ebp: 1635328 registers.edx: 0 registers.ebx: 5652376 registers.esi: 5652376 registers.ecx: 2	1
__exception__ Dec. 12, 2022, 5:50 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1636892 registers.edi: 5652376 registers.eax: 1636892 registers.ebp: 1636972 registers.edx: 0 registers.ebx: 5652376 registers.esi: 5652376 registers.ecx: 2	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 98 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74322000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05020000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05020000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05020000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05020000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05021000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05021000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05021000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05021000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05021000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05021000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05022000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05022000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05023000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05023000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05023000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05023000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05024000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05024000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05024000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05025000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05025000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05026000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05026000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dd6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fe0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fe0000 process_handle: 0xffffffff	1

Creates a suspicious process (1 event)

cmdline

cmd.exe /c C:\Users\test22\AppData\Local\Temp\NewBitmapImage.bmp

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 12, 2022, 5:50 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003a0000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00044000', u'virtual_address': u'0x0005c000', u'entropy': 7.931517844299381, u'name': u'.rsrc', u'virtual_size': u'0x000433b8'}

entropy

7.9315178443

description

A section with a high entropy has been found

entropy

0.435897435897

description

Overall entropy of this PE file is high

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Dec. 12, 2022, 5:50 p.m.	key_handle: 0x000003ac regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Modifies proxy override settings possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Dec. 12, 2022, 5:50 p.m.	key_handle: 0x000003ac regkey_r: ProxyOverride reg_type: 1 (REG_SZ) value: 127.0.0.1:16107; regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride	1	0	0

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Bingoml.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen19.19229
MicroWorld-eScan	Trojan.Generic.32417722
FireEye	Generic.mg.64b06d9408f8681b
McAfee	RDN/Generic PWS.y
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.vb
K7AntiVirus	Spyware ( 004b9a461 )
Alibaba	TrojanSpy:Win32/Bingoml.a2dcdb15
K7GW	Spyware ( 004b9a461 )
Cybereason	malicious.9859a6
Arcabit	Trojan.Generic.D1EEA7BA
BitDefenderTheta	Gen:NN.ZevbaF.36106.Nm1@aKk@Bfei
Cyren	W32/ABRisk.USLE-3162
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Spy.KeyLogger.ODN
TrendMicro-HouseCall	TROJ_GEN.R011C0PL922
Kaspersky	Trojan.Win32.Bingoml.hoad
BitDefender	Trojan.Generic.32417722
Avast	Win32:Trojan-gen
Tencent	Malware.Win32.Gencirc.11687b55
Ad-Aware	Trojan.Generic.32417722
Emsisoft	Trojan.Generic.32417722 (B)
F-Secure	Trojan.TR/Dropper.Gen
VIPRE	Trojan.Generic.32417722
TrendMicro	TROJ_GEN.R011C0PL922
McAfee-GW-Edition	BehavesLike.Win32.Trojan.jh
Trapmine	malicious.moderate.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Google	Detected
Avira	TR/Dropper.Gen
MAX	malware (ai score=86)
Antiy-AVL	Trojan[Spy]/Win32.KeyLogger
Microsoft	Trojan:Win32/Woreflint.A!cl
ZoneAlarm	Trojan.Win32.Bingoml.hoad
GData	Trojan.Generic.32417722
Cynet	Malicious (score: 100)
Acronis	suspicious
ALYac	Trojan.Generic.32417722
VBA32	TScope.Trojan.VB
Malwarebytes	Generic.Trojan.Injector.DDS
APEX	Malicious
Rising	Stealer.Kutaki!1.D278 (CLASSIC)
Ikarus	Trojan-Spy.Win32.KeyLogger
Fortinet	W32/KeyLogger.NJK!tr.spy
AVG	Win32:Trojan-gen

Recipt.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All