Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 13, 2023, 9:01 a.m.	July 13, 2023, 9:04 a.m.

Size	35.3MB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`511f56b74826a4e053db05e34f72bd6b`
SHA256	`1a9b5e974dee1f8ad4c36c15c23b5573fb0a8066cb70ba29ae4971e5c6a7dec9`
CRC32	`BAAC87F3`
ssdeep	`393216:BD47Ywnk2h2q8qhlBOs60wWTrrlJMWbDBHjci+:pak2gqdMsvwWTvoW3a`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check mzp_file_format - MZP(Delphi) file format IsDLL - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,BindImage
3048
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,CheckSumMappedFile
2160
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,BindImageEx
2196
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,EnumerateLoadedModules
2404
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,EnumerateLoadedModules64
1588
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,EnumerateLoadedModulesEx
1844
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,EnumerateLoadedModulesExW
2120
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,EnumerateLoadedModulesW64
2488
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,FindDebugInfoFile
2848
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,FindDebugInfoFileEx
3020
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,FindExecutableImage
1776
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,FindExecutableImageEx
2772
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,FindFileInPath
1596
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,FindFileInSearchPath
1220
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,GetImageConfigInformation
1600
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,GetImageUnusedHeaderBytes
1628
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,GetTimestampForLoadedLibrary
2568
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageAddCertificate
1624
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageDirectoryEntryToData
2236
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageDirectoryEntryToDataEx
2476
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageEnumerateCertificates
240
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageGetCertificateData
180
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageGetCertificateHeader
2428
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageGetDigestStream
3016
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageLoad
2104
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageNtHeader
1848
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageRemoveCertificate
732
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageRvaToSection
376
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageRvaToVa
1508
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageUnload
596
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImagehlpApiVersion
1136
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImagehlpApiVersionEx
2800
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,MakeSureDirectoryPathExists
1604
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,MapAndLoad
2436
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,MapDebugInformation
2248
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,MapFileAndCheckSumA
3080
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,MapFileAndCheckSumW
3204
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ReBaseImage
3324
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ReBaseQHddvKE4
3432
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,RemovePrivateCvSymbolic
3524
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,RemovePrivateCvSymbolicEx
3620
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,RemoveRelocations
3720
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SearchTreeForFile
3812
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SetImageConfigInformation
3908
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SplitSymbols
4016
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,StackWalk
3104
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,StackWalk64
3256
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SymCleanup
3340
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SymEnumSym
3516
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SymEnumSymbols
2500
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SymEnumSymbolsForAddr
3576
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SymEnumTypes
3948

Name	Response	Post-Analysis Lookup
apps.identrust.com	CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.57	23.43.165.105
esp-78-56-65-23.esp.artforcemusic.de	A 185.8.51.230	185.8.51.230

IP Address	Status	Action
121.254.136.57	Active	Moloch
164.124.101.2	Active	Moloch
185.8.51.230	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49194 -> 185.8.51.230:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49194 185.8.51.230:443	C=US, O=Let's Encrypt, CN=R3	CN=esp-78-56-65-23.esp.artforcemusic.de	2d:34:f5:b9:7a:59:08:9b:a2:0d:94:62:34:3c:61:33:ff:41:b6:c7

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 13, 2023, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2023, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2023, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2023, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2023, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2023, 9:02 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (47 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:02 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:02 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:02 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:02 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:02 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:02 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:02 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:02 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:02 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:02 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:02 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:02 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:04 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:04 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:03 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:04 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:04 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:04 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:04 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:04 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:04 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:04 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 events)

section	.itext
section	.didata
section	.global0
section	.global1
section	.global2

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 13, 2023, 9:02 a.m.	stacktrace: TMethodImplementationIntercept+0x8409f TMethodImplementationIntercept-0x2878dd imgengine+0xf32c7 @ 0x1dc32c7 TMethodImplementationIntercept+0x83d1f TMethodImplementationIntercept-0x287c5d imgengine+0xf2f47 @ 0x1dc2f47 TMethodImplementationIntercept+0x84019 TMethodImplementationIntercept-0x287963 imgengine+0xf3241 @ 0x1dc3241 __dbk_fcall_wrapper+0x22eca TMethodImplementationIntercept-0x3a572 imgengine+0x34cb6 @ 0x1d04cb6 __dbk_fcall_wrapper+0x22f57 TMethodImplementationIntercept-0x3a4e5 imgengine+0x34d43 @ 0x1d04d43 TMethodImplementationIntercept+0x2eb366 TMethodImplementationIntercept-0x20616 imgengine+0x35a58e @ 0x202a58e TMethodImplementationIntercept+0x30105b TMethodImplementationIntercept-0xa921 imgengine+0x370283 @ 0x2040283 TMethodImplementationIntercept+0x119e0b TMethodImplementationIntercept-0x1f1b71 imgengine+0x189033 @ 0x1e59033 TMethodImplementationIntercept+0x1199ea TMethodImplementationIntercept-0x1f1f92 imgengine+0x188c12 @ 0x1e58c12 TMethodImplementationIntercept+0x1199a5 TMethodImplementationIntercept-0x1f1fd7 imgengine+0x188bcd @ 0x1e58bcd TMethodImplementationIntercept+0x125341 TMethodImplementationIntercept-0x1e663b imgengine+0x194569 @ 0x1e64569 BindImage+0x52 dbkFCallWrapperAddr-0x2483e imgengine+0x37ae02 @ 0x204ae02 rundll32+0x137d @ 0x73137d rundll32+0x1326 @ 0x731326 rundll32+0x1901 @ 0x731901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1636132 registers.edi: 5 registers.eax: 1636132 registers.ebp: 1636212 registers.edx: 0 registers.ebx: 1636360 registers.esi: 1636424 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 13, 2023, 9:02 a.m.

stacktrace:

TMethodImplementationIntercept+0x8409f TMethodImplementationIntercept-0x2878dd imgengine+0xf32c7 @ 0x1dc32c7
TMethodImplementationIntercept+0x83d1f TMethodImplementationIntercept-0x287c5d imgengine+0xf2f47 @ 0x1dc2f47
TMethodImplementationIntercept+0x84019 TMethodImplementationIntercept-0x287963 imgengine+0xf3241 @ 0x1dc3241
__dbk_fcall_wrapper+0x22eca TMethodImplementationIntercept-0x3a572 imgengine+0x34cb6 @ 0x1d04cb6
__dbk_fcall_wrapper+0x22f57 TMethodImplementationIntercept-0x3a4e5 imgengine+0x34d43 @ 0x1d04d43
TMethodImplementationIntercept+0x2eb366 TMethodImplementationIntercept-0x20616 imgengine+0x35a58e @ 0x202a58e
TMethodImplementationIntercept+0x30105b TMethodImplementationIntercept-0xa921 imgengine+0x370283 @ 0x2040283
TMethodImplementationIntercept+0x119e0b TMethodImplementationIntercept-0x1f1b71 imgengine+0x189033 @ 0x1e59033
TMethodImplementationIntercept+0x1199ea TMethodImplementationIntercept-0x1f1f92 imgengine+0x188c12 @ 0x1e58c12
TMethodImplementationIntercept+0x1199a5 TMethodImplementationIntercept-0x1f1fd7 imgengine+0x188bcd @ 0x1e58bcd
TMethodImplementationIntercept+0x125341 TMethodImplementationIntercept-0x1e663b imgengine+0x194569 @ 0x1e64569
BindImage+0x52 dbkFCallWrapperAddr-0x2483e imgengine+0x37ae02 @ 0x204ae02
rundll32+0x137d @ 0x73137d
rundll32+0x1326 @ 0x731326
rundll32+0x1901 @ 0x731901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 1636132
registers.edi: 5
registers.eax: 1636132
registers.ebp: 1636212
registers.edx: 0
registers.ebx: 1636360
registers.esi: 1636424
registers.ecx: 7

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (50 out of 963 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029ea000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x039e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74101000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75231000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73851000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73841000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73171000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73131000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029ea000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003d0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 13, 2023, 9:02 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00eb9200', u'virtual_address': u'0x00d1b000', u'entropy': 7.972022290304701, u'name': u'.global2', u'virtual_size': u'0x00eb90a0'}

entropy

7.9720222903

description

A section with a high entropy has been found

entropy

0.999602187966

description

Overall entropy of this PE file is high

Executes one or more WMI queries (2 events)

wmi	SELECT * FROM AntiVirusProduct
wmi	SELECT Caption FROM Win32_OperatingSystem

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.511f56b74826a4e0
K7AntiVirus	Spyware ( 0057e9881 )
K7GW	Spyware ( 0057e9881 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Spy.Mekotio.CN
Cynet	Malicious (score: 100)
APEX	Malicious
F-Secure	Heuristic.HEUR/AGEN.1338326
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1338326
Gridinsoft	Trojan.Heur!.02212020
AhnLab-V3	Trojan/Win.Generic.R568749
Rising	Spyware.Mekotio!8.F5DF (TFE:5:hylQq4PvDCH)
DeepInstinct	MALICIOUS

imgengine.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All