Summary | ZeroBOX

imgengine.dll

UPX MZP Format PE File DLL OS Processor Check PE32
Category Machine Started Completed
FILE s1_win7_x6402 July 13, 2023, 9:01 a.m. July 13, 2023, 9:04 a.m.
Size 35.3MB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 511f56b74826a4e053db05e34f72bd6b
SHA256 1a9b5e974dee1f8ad4c36c15c23b5573fb0a8066cb70ba29ae4971e5c6a7dec9
CRC32 BAAC87F3
ssdeep 393216:BD47Ywnk2h2q8qhlBOs60wWTrrlJMWbDBHjci+:pak2gqdMsvwWTvoW3a
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • mzp_file_format - MZP(Delphi) file format
  • IsDLL - (no description)
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

IP Address Status Action
121.254.136.57 Active Moloch
164.124.101.2 Active Moloch
185.8.51.230 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49194 -> 185.8.51.230:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49194
185.8.51.230:443
C=US, O=Let's Encrypt, CN=R3 CN=esp-78-56-65-23.esp.artforcemusic.de 2d:34:f5:b9:7a:59:08:9b:a2:0d:94:62:34:3c:61:33:ff:41:b6:c7

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0
section .itext
section .didata
section .global0
section .global1
section .global2
Time & API Arguments Status Return Repeated

__exception__

stacktrace:
TMethodImplementationIntercept+0x8409f TMethodImplementationIntercept-0x2878dd imgengine+0xf32c7 @ 0x1dc32c7
TMethodImplementationIntercept+0x83d1f TMethodImplementationIntercept-0x287c5d imgengine+0xf2f47 @ 0x1dc2f47
TMethodImplementationIntercept+0x84019 TMethodImplementationIntercept-0x287963 imgengine+0xf3241 @ 0x1dc3241
__dbk_fcall_wrapper+0x22eca TMethodImplementationIntercept-0x3a572 imgengine+0x34cb6 @ 0x1d04cb6
__dbk_fcall_wrapper+0x22f57 TMethodImplementationIntercept-0x3a4e5 imgengine+0x34d43 @ 0x1d04d43
TMethodImplementationIntercept+0x2eb366 TMethodImplementationIntercept-0x20616 imgengine+0x35a58e @ 0x202a58e
TMethodImplementationIntercept+0x30105b TMethodImplementationIntercept-0xa921 imgengine+0x370283 @ 0x2040283
TMethodImplementationIntercept+0x119e0b TMethodImplementationIntercept-0x1f1b71 imgengine+0x189033 @ 0x1e59033
TMethodImplementationIntercept+0x1199ea TMethodImplementationIntercept-0x1f1f92 imgengine+0x188c12 @ 0x1e58c12
TMethodImplementationIntercept+0x1199a5 TMethodImplementationIntercept-0x1f1fd7 imgengine+0x188bcd @ 0x1e58bcd
TMethodImplementationIntercept+0x125341 TMethodImplementationIntercept-0x1e663b imgengine+0x194569 @ 0x1e64569
BindImage+0x52 dbkFCallWrapperAddr-0x2483e imgengine+0x37ae02 @ 0x204ae02
rundll32+0x137d @ 0x73137d
rundll32+0x1326 @ 0x731326
rundll32+0x1901 @ 0x731901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 1636132
registers.edi: 5
registers.eax: 1636132
registers.ebp: 1636212
registers.edx: 0
registers.ebx: 1636360
registers.esi: 1636424
registers.ecx: 7
1 0 0
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029ea000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x746c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74221000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x741d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74fc1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 3048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 3048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 3048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 3048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00440000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 3048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00450000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 3048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00460000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 3048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00470000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 3048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x039e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74121000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74101000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ee1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x740f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x740d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d01000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75231000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bf1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x739a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73851000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73841000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73191000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73171000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73131000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x730f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x730e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029ea000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x746c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74221000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x741d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74fc1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00660000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00670000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00680000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00690000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x003d0000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

flags: 15
family: 0
111 0
section {u'size_of_data': u'0x00eb9200', u'virtual_address': u'0x00d1b000', u'entropy': 7.972022290304701, u'name': u'.global2', u'virtual_size': u'0x00eb90a0'} entropy 7.9720222903 description A section with a high entropy has been found
entropy 0.999602187966 description Overall entropy of this PE file is high
wmi SELECT * FROM AntiVirusProduct
wmi SELECT Caption FROM Win32_OperatingSystem
Elastic malicious (high confidence)
FireEye Generic.mg.511f56b74826a4e0
K7AntiVirus Spyware ( 0057e9881 )
K7GW Spyware ( 0057e9881 )
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Spy.Mekotio.CN
Cynet Malicious (score: 100)
APEX Malicious
F-Secure Heuristic.HEUR/AGEN.1338326
SentinelOne Static AI - Malicious PE
Avira HEUR/AGEN.1338326
Gridinsoft Trojan.Heur!.02212020
AhnLab-V3 Trojan/Win.Generic.R568749
Rising Spyware.Mekotio!8.F5DF (TFE:5:hylQq4PvDCH)
DeepInstinct MALICIOUS