Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 18, 2023, 12:16 p.m.	June 18, 2023, 12:18 p.m.

Size	140.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8f26838bcfe78a273701af789c8a8922`
SHA256	`42bc619ece29110430b91ca7c007523bfc5fda8a46b8e079beed624a350decc8`
CRC32	`A471866A`
ssdeep	`3072:mPh253NQakAmFFLTnTcY8iY+BkBrhxJ5AdgqB6uYWxHDit:753Nlmj3TcY5xBxPzY6HDit`
Yara	Malicious_Library_Zero - Malicious_Library ASPack_Zero - ASPack packed file IsPE32 - (no description) PE_Header_Zero - PE File Signature VMProtect_Zero - VMProtect packed file

%E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7%BF%BB%E8%AF%91%E5%8C%85.exe "C:\Users\test22\AppData\Local\Temp\%E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7%BF%BB%E8%AF%91%E5%8C%85.exe"
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.116.15.39	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 18, 2023, 12:16 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.vmp0
section	.vmp1

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

Foreign language identified in PE resource (27 events)

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001a130

size

0x00000158

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001a130

size

0x00000158

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00013cf0

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00013cf0

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00013cf0

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00013cf0

size

0x00000128

name

RT_MENU

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001a288

size

0x00000058

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001a368

size

0x0000033a

name

RT_DIALOG

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001a368

size

0x0000033a

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b434

size

0x00000086

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b434

size

0x00000086

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b434

size

0x00000086

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b434

size

0x00000086

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b434

size

0x00000086

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b434

size

0x00000086

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b434

size

0x00000086

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b434

size

0x00000086

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b434

size

0x00000086

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b434

size

0x00000086

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b434

size

0x00000086

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b434

size

0x00000086

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b434

size

0x00000086

name

RT_ACCELERATOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b4bc

size

0x00000068

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00013e3c

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00013e3c

size

0x00000022

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00013e60

size

0x00000304

name

None

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001b524

size

0x0000000c

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 63 events)

Time & API	Arguments	Status	Return
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: smss.exe process_identifier: 224	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: services.exe process_identifier: 444	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: pw.exe process_identifier: 988	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: mobsync.exe process_identifier: 2276	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: pw.exe process_identifier: 2320	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: wsqmcons.exe process_identifier: 2360	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: taskhost.exe process_identifier: 2368	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: sdclt.exe process_identifier: 2376	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000128 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 2544	1	1
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000240 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 7602224		0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000164 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 7536688		0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000244 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 3014768		0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000248 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 7274573		0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x0000024c process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 5046390		0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000250 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6815859		0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000258 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6881397		0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x0000025c process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 7602277		0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000260 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6619235		0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000264 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 4456552		0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000268 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 7536758		0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x0000026c process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6684769		0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000270 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 4390992		0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000274 process_name: process_identifier: 5439572		0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000278 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6619182		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 18, 2023, 12:16 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 20480 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001f000', u'virtual_address': u'0x00029000', u'entropy': 7.8305263853159195, u'name': u'.vmp1', u'virtual_size': u'0x0001e0e6'}

entropy

7.83052638532

description

A section with a high entropy has been found

entropy

0.911764705882

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 18, 2023, 12:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (28 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000240 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 7602224		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000164 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 7536688		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000244 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 3014768		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000248 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 7274573		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x0000024c process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 5046390		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000250 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6815859		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000258 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6881397		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x0000025c process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 7602277		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000260 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6619235		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000264 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 4456552		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000268 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 7536758		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x0000026c process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6684769		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000270 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 4390992		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000274 process_name: process_identifier: 5439572		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000278 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6619182		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x0000027c process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6553715		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000280 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 5046338		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000284 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6619246		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000288 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6750273		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x0000028c process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 7471220		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000290 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 7733331		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000294 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 4980808		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x00000298 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6619251		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x0000029c process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 7864421		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x000002a0 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 3342387		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x000002a4 process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 3014722		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x000002a8 process_name: process_identifier: 7733362		0	0
Process32NextW June 18, 2023, 12:16 p.m.	snapshot_handle: 0x000002ac process_name: %E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7% process_identifier: 6553705		0	0

The executable is likely packed with VMProtect (2 events)

section	.vmp0				description	Section name indicates VMProtect
section	.vmp1				description	Section name indicates VMProtect

Communicates with host for which no DNS query was performed (1 event)

host

103.116.15.39

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Cynet	Malicious (score: 100)
FireEye	Generic.mg.8f26838bcfe78a27
McAfee	Artemis!8F26838BCFE7
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/Sabsik.7b45deb2
Cyren	W32/ABRisk.MQJT-1717
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.VMProtect.AJI
APEX	Malicious
Kaspersky	Trojan.Win32.Miancha.jlk
BitDefender	Trojan.GenericKD.67556515
MicroWorld-eScan	Trojan.GenericKD.67556515
Sophos	Mal/Generic-S
F-Secure	Heuristic.HEUR/AGEN.1324799
VIPRE	Trojan.GenericKD.67556515
McAfee-GW-Edition	BehavesLike.Win32.Corrupt.cc
Trapmine	malicious.high.ml.score
Emsisoft	Trojan.GenericKD.67556515 (B)
Ikarus	Trojan.Win32.VMProtect
Avira	HEUR/AGEN.1324799
Antiy-AVL	Trojan[Packed]/Win32.VMProtect
Microsoft	Trojan:Win32/Sabsik.MTR!MTB
Xcitium	TrojWare.Win32.Trojan.XPACK.Gen@2ho5ur
Arcabit	Trojan.Generic.D406D4A3
ZoneAlarm	Trojan.Win32.Miancha.jlk
GData	Win32.Trojan.Agent.3Y872H
Google	Detected
BitDefenderTheta	AI:Packer.4D72F3C21F
MAX	malware (ai score=83)
VBA32	BScope.Trojan.Download
Malwarebytes	Malware.Heuristic.1003
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002H01FG23
Rising	Trojan.Generic@AI.97 (RDML:PzQqOIM5tnoNyE2vWbv0gg)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
Cybereason	malicious.f71c58
DeepInstinct	MALICIOUS

%E7%82%B9%E5%87%BB%E6%AD%A4%E5%A4%84%E5%AE%89%E8%A3%85%E7%94%B5%E8%84%91%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87%E8%AF%AD%E8%A8%80%E7%BF%BB%E8%AF%91%E5%8C%85.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All