Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 8, 2023, 7:56 a.m.	March 8, 2023, 7:58 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8ed2a04ece93bee35023ce41afccae0b`
SHA256	`167a12055852953ff43bda213ecc524fd8af28f6613ffa9225a6c3259e079357`
CRC32	`8EC30191`
ssdeep	`24576:8NxPFagwIFbznWbpht0ESUxMG+/VIwDn051L9R9DtdTKak5wz:8NPtvFbS1T0D9KvLbZKaawz`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Malicious_Packer_Zero - Malicious Packer anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description) PE_Header_Zero - PE File Signature

zckop.exe "C:\Users\test22\AppData\Local\Temp\zckop.exe"
2572

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
154.91.230.44	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 8, 2023, 7:56 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 8, 2023, 7:56 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sedata

One or more processes crashed (50 out of 363 events)

Time & API	Arguments	Status
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: zckop+0x114b34 @ 0x514b34 zckop+0x14e4bc @ 0x54e4bc RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: eb 09 a8 3f af ca 39 f0 92 0d 9c c3 e9 73 ff ff exception.symbol: zckop+0x6d046 exception.instruction: jmp 0x46d051 exception.module: zckop.exe exception.exception_code: 0x80000003 exception.offset: 446534 exception.address: 0x46d046 registers.esp: 1638008 registers.edi: 0 registers.eax: 0 registers.ebp: 1638052 registers.edx: 582600 registers.ebx: 5 registers.esi: 6547304 registers.ecx: 6547304	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 1637020 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 1637256 registers.edx: 4599808 registers.ebx: 1 registers.esi: 1637020 registers.ecx: 3199040484	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 42203964 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 42204200 registers.edx: 4599830 registers.ebx: 1 registers.esi: 42203964 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 43252536 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 43252772 registers.edx: 4599830 registers.ebx: 1 registers.esi: 43252536 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 45349692 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 45349928 registers.edx: 4599830 registers.ebx: 1 registers.esi: 45349692 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: 0x80 exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 46398252 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 46398488 registers.edx: 4599830 registers.ebx: 1 registers.esi: 46398252 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 44301112 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 44301348 registers.edx: 4599830 registers.ebx: 1 registers.esi: 44301112 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 47708996 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 47709232 registers.edx: 4599830 registers.ebx: 1 registers.esi: 47708996 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 47709016 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 47709252 registers.edx: 4599830 registers.ebx: 1 registers.esi: 47709016 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 49019724 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 49019960 registers.edx: 4599830 registers.ebx: 1 registers.esi: 49019724 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 50330456 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 50330692 registers.edx: 4599830 registers.ebx: 1 registers.esi: 50330456 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 42203964 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 42204200 registers.edx: 4599830 registers.ebx: 1 registers.esi: 42203964 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 43252536 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 43252772 registers.edx: 4599830 registers.ebx: 1 registers.esi: 43252536 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: 0x80 exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 46398252 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 46398488 registers.edx: 4599830 registers.ebx: 1 registers.esi: 46398252 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 45349692 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 45349928 registers.edx: 4599830 registers.ebx: 1 registers.esi: 45349692 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 44301112 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 44301348 registers.edx: 4599830 registers.ebx: 1 registers.esi: 44301112 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 43252536 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 43252772 registers.edx: 4599830 registers.ebx: 1 registers.esi: 43252536 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: 0x80 exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 46398252 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 46398488 registers.edx: 4599830 registers.ebx: 1 registers.esi: 46398252 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 45349692 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 45349928 registers.edx: 4599830 registers.ebx: 1 registers.esi: 45349692 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 42203964 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 42204200 registers.edx: 4599830 registers.ebx: 1 registers.esi: 42203964 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 44301112 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 44301348 registers.edx: 4599830 registers.ebx: 1 registers.esi: 44301112 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 49019724 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 49019960 registers.edx: 4599830 registers.ebx: 1 registers.esi: 49019724 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 43252536 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 43252772 registers.edx: 4599830 registers.ebx: 1 registers.esi: 43252536 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 42203964 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 42204200 registers.edx: 4599830 registers.ebx: 1 registers.esi: 42203964 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: 0x80 exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 46398252 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 46398488 registers.edx: 4599830 registers.ebx: 1 registers.esi: 46398252 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 45349692 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 45349928 registers.edx: 4599830 registers.ebx: 1 registers.esi: 45349692 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 44301112 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 44301348 registers.edx: 4599830 registers.ebx: 1 registers.esi: 44301112 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 43252536 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 43252772 registers.edx: 4599830 registers.ebx: 1 registers.esi: 43252536 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: 0x80 exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 46398252 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 46398488 registers.edx: 4599830 registers.ebx: 1 registers.esi: 46398252 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 42203964 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 42204200 registers.edx: 4599830 registers.ebx: 1 registers.esi: 42203964 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 45349692 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 45349928 registers.edx: 4599830 registers.ebx: 1 registers.esi: 45349692 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 44301112 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 44301348 registers.edx: 4599830 registers.ebx: 1 registers.esi: 44301112 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:56 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 49019724 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 49019960 registers.edx: 4599830 registers.ebx: 1 registers.esi: 49019724 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 42203964 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 42204200 registers.edx: 4599830 registers.ebx: 1 registers.esi: 42203964 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 43252536 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 43252772 registers.edx: 4599830 registers.ebx: 1 registers.esi: 43252536 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: 0x80 exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 46398252 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 46398488 registers.edx: 4599830 registers.ebx: 1 registers.esi: 46398252 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 45349692 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 45349928 registers.edx: 4599830 registers.ebx: 1 registers.esi: 45349692 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 44301112 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 44301348 registers.edx: 4599830 registers.ebx: 1 registers.esi: 44301112 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 47708996 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 47709232 registers.edx: 4599830 registers.ebx: 1 registers.esi: 47708996 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 47709016 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 47709252 registers.edx: 4599830 registers.ebx: 1 registers.esi: 47709016 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 50330456 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 50330692 registers.edx: 4599830 registers.ebx: 1 registers.esi: 50330456 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 42203964 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 42204200 registers.edx: 4599830 registers.ebx: 1 registers.esi: 42203964 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 43252536 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 43252772 registers.edx: 4599830 registers.ebx: 1 registers.esi: 43252536 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: 0x80 exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 46398252 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 46398488 registers.edx: 4599830 registers.ebx: 1 registers.esi: 46398252 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 45349692 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 45349928 registers.edx: 4599830 registers.ebx: 1 registers.esi: 45349692 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 44301112 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 44301348 registers.edx: 4599830 registers.ebx: 1 registers.esi: 44301112 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 49019724 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 49019960 registers.edx: 4599830 registers.ebx: 1 registers.esi: 49019724 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 42203964 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 42204200 registers.edx: 4599830 registers.ebx: 1 registers.esi: 42203964 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 43252536 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 43252772 registers.edx: 4599830 registers.ebx: 1 registers.esi: 43252536 registers.ecx: 2423584518	1
__exception__ March 8, 2023, 7:57 a.m.	stacktrace: 0x80 exception.instruction_r: f6 d3 8d 9a 6a 04 d5 e6 eb c8 8b dd 89 0b 86 fb exception.symbol: zckop+0xa0d6b exception.instruction: not bl exception.module: zckop.exe exception.exception_code: 0x80000004 exception.offset: 658795 exception.address: 0x4a0d6b registers.esp: 46398252 registers.edi: 4770095 registers.eax: 2772574899 registers.ebp: 46398488 registers.edx: 4599830 registers.ebx: 1 registers.esi: 46398252 registers.ecx: 2423584518	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 4861 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02310000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 region_size: 1576960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x759aa000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2023, 7:56 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001520e8

size

0x00010828

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00162910

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00162924

size

0x00000418

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000270 process_name: mobsync.exe process_identifier: 2284	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x00029000', u'virtual_address': u'0x00001000', u'entropy': 7.976767544013762, u'name': u'.text', u'virtual_size': u'0x00062000'}

entropy

7.97676754401

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000ee000', u'virtual_address': u'0x00063000', u'entropy': 7.560302685977603, u'name': u'.sedata', u'virtual_size': u'0x000ee000'}

entropy

7.56030268598

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001000', u'virtual_address': u'0x00163000', u'entropy': 7.9841542671815295, u'name': u'.sedata', u'virtual_size': u'0x00001000'}

entropy

7.98415426718

description

A section with a high entropy has been found

entropy

0.939597315436

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 51 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000270 process_name: zckop.exe process_identifier: 7602224		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000274 process_name: zckop.exe process_identifier: 3014768		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000278 process_name: zckop.exe process_identifier: 7274573		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x0000027c process_name: zckop.exe process_identifier: 5046390		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000298 process_name: zckop.exe process_identifier: 7536688		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x0000029c process_name: zckop.exe process_identifier: 6619246		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002a0 process_name: zckop.exe process_identifier: 6881397		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002a4 process_name: zckop.exe process_identifier: 7602277		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002a8 process_name: zckop.exe process_identifier: 5177421		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002ac process_name: zckop.exe process_identifier: 5046338		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002b0 process_name: zckop.exe process_identifier: 6619235		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002b4 process_name: zckop.exe process_identifier: 4456552		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002b8 process_name: zckop.exe process_identifier: 6553705		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002bc process_name: zckop.exe process_identifier: 6815859		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002c0 process_name: zckop.exe process_identifier: 6619251		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002c4 process_name: zckop.exe process_identifier: 6684769		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002c8 process_name: zckop.exe process_identifier: 6357091		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002cc process_name: zckop.exe process_identifier: 7733331		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002d0 process_name: zckop.exe process_identifier: 6815860		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002d4 process_name: zckop.exe process_identifier: 7667815		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002d8 process_name: zckop.exe process_identifier: 6619251		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002dc process_name: zckop.exe process_identifier: 7209061		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002e0 process_name: zckop.exe process_identifier: 3014768		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002e4 process_name: zckop.exe process_identifier: 5374032		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002e8 process_name: e process_identifier: 7471201		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002ec process_name: zckop.exe process_identifier: 6619251		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002f0 process_name: zckop.exe process_identifier: 7733331		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002f4 process_name: zckop.exe process_identifier: 7667821		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002f8 process_name: zckop.exe process_identifier: 7274605		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x000002fc process_name: zckop.exe process_identifier: 5439553		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000300 process_name: zckop.exe process_identifier: 7602290		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000304 process_name: zckop.exe process_identifier: 5439555		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000308 process_name: zckop.exe process_identifier: 4390992		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x0000030c process_name: zckop.exe process_identifier: 6553705		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000310 process_name: zckop.exe process_identifier: 4522030		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000314 process_name: zckop.exe process_identifier: 6619182		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000318 process_name: zckop.exe process_identifier: 3670069		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x0000031c process_name: at.exe process_identifier: 6684781		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000320 process_name: zckop.exe process_identifier: 7536756		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000324 process_name: zckop.exe process_identifier: 4784233		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000328 process_name: zckop.exe process_identifier: 7471170		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x0000032c process_name: zckop.exe process_identifier: 7143542		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000330 process_name: zckop.exe process_identifier: 6553715		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000334 process_name: zckop.exe process_identifier: 7864421		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000338 process_name: process_identifier: 7733362		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x0000033c process_name: zckop.exe process_identifier: 3342387		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000340 process_name: zckop.exe process_identifier: 3014736		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000344 process_name: zckop.exe process_identifier: 7471220		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x00000348 process_name: zckop.exe process_identifier: 6619219		0	0
Process32NextW March 8, 2023, 7:56 a.m.	snapshot_handle: 0x0000034c process_name: zckop.exe process_identifier: 4980808		0	0

Communicates with host for which no DNS query was performed (1 event)

host

154.91.230.44

Creates known Nitol/ServStart files, registry keys and/or mutexes (1 event)

regkey

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vwxyab

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetectNet.01
Lionic	Hacktool.Win32.Generic.lA3h
Elastic	malicious (high confidence)
FireEye	Generic.mg.8ed2a04ece93bee3
McAfee	Artemis!8ED2A04ECE93
Malwarebytes	Agent.Trojan.Downloader.DDS
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005239691 )
Alibaba	Packed:Win32/NoobyProtect.d79656f8
K7GW	Adware ( 005693e61 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/Trojan.HPC.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.NoobyProtect.M suspicious
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:Backdoor.Win32.Lotok.lmy
BitDefender	Trojan.GenericKD.65823234
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	BehavesLike.Win32.Injector.tc
Trapmine	malicious.high.ml.score
Ikarus	PUA.NoobyProtect
Webroot	W32.Adware.Gen
Avira	HEUR/AGEN.1237427
Antiy-AVL	GrayWare/Win32.Safeguard.a
Gridinsoft	Trojan.Heur!.03010021
Xcitium	TrojWare.Win32.Amtar.KNB@4wlm66
Microsoft	Trojan:Win32/Casdet!rfn
GData	Win32.Packed.NoobyProtect.B
Google	Detected
AhnLab-V3	Trojan/Win.Leonem.C5391929
Cylance	unsafe
Rising	Trojan.Generic@AI.95 (RDML:h7FI4uhxYeCwfzm9yZLfbg)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Virus.W32.packed.Noobyprotect.B
Fortinet	Riskware/Application
BitDefenderTheta	Gen:NN.ZexaF.36308.kv0@a4qDUsob

zckop.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All