popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Projectads.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 10, 2023, 4:51 p.m. March 10, 2023, 4:54 p.m.
Size 1.4MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0f16ee89f88b541aea1867c8b6b44868
SHA256 0002ab37c265250dc388afc14e44b8b9362d941db7634df5bad9fa7d7c287b19
CRC32 7D53FB04
ssdeep 24576:J7u0QUm8sMWyLCB3aO+AhcE/evoBNMhgNkTjR2iRRZj0tJqeRXigd0ojgKa8LAqx:tFDAMcMhgNmF7ZIue5igd9pGqx
PDB Path C:\Setiquij paci_cit xofe\Yakokagi\waxitig\rota codacow.pdb
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
ytbwdoevgozptoogir71mmp.cuc59nbf3uiiogdm62yhd321emm7lk
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
pdb_path C:\Setiquij paci_cit xofe\Yakokagi\waxitig\rota codacow.pdb
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 1290240
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00440000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 1167360
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0b120000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000008c
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: csrss.exe
process_identifier: 304
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: wininit.exe
process_identifier: 352
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: csrss.exe
process_identifier: 360
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: winlogon.exe
process_identifier: 400
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: services.exe
process_identifier: 444
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: lsm.exe
process_identifier: 468
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: svchost.exe
process_identifier: 572
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: svchost.exe
process_identifier: 652
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: svchost.exe
process_identifier: 724
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: svchost.exe
process_identifier: 784
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: svchost.exe
process_identifier: 832
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: audiodg.exe
process_identifier: 900
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: svchost.exe
process_identifier: 992
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: svchost.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: spoolsv.exe
process_identifier: 324
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: svchost.exe
process_identifier: 1048
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: srvany.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: KMService.exe
process_identifier: 1436
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: conhost.exe
process_identifier: 1448
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: taskhost.exe
process_identifier: 1600
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: sppsvc.exe
process_identifier: 1820
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: svchost.exe
process_identifier: 1896
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: dwm.exe
process_identifier: 1260
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: explorer.exe
process_identifier: 1452
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: pw.exe
process_identifier: 988
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: SearchIndexer.exe
process_identifier: 1160
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: SearchProtocolHost.exe
process_identifier: 936
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: SearchFilterHost.exe
process_identifier: 2000
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: pw.exe
process_identifier: 2284
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: mobsync.exe
process_identifier: 2300
1 1 0

Process32NextW

 snapshot_handle: 0x0000008c
process_name: Projectads.exe
process_identifier: 2548
1 1 0
section {u'size_of_data': u'0x0015dc00', u'virtual_address': u'0x00001000', u'entropy': 7.925001627897359, u'name': u'.text', u'virtual_size': u'0x0015da60'} entropy 7.9250016279 description A section with a high entropy has been found
entropy 0.949762389681 description Overall entropy of this PE file is high
buffer Buffer with sha1: b69122f6dbf08f14bf79c6458dec3c2deed5bfe0