Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 13, 2023, 9:01 a.m.	July 13, 2023, 9:08 a.m.

Size	35.3MB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`511f56b74826a4e053db05e34f72bd6b`
SHA256	`1a9b5e974dee1f8ad4c36c15c23b5573fb0a8066cb70ba29ae4971e5c6a7dec9`
CRC32	`BAAC87F3`
ssdeep	`393216:BD47Ywnk2h2q8qhlBOs60wWTrrlJMWbDBHjci+:pak2gqdMsvwWTvoW3a`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check mzp_file_format - MZP(Delphi) file format IsDLL - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,BindImageEx
2204
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,CheckSumMappedFile
2264
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,EnumerateLoadedModules
2396
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,BindImage
3012
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,EnumerateLoadedModules64
1632
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,EnumerateLoadedModulesEx
1044
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,EnumerateLoadedModulesExW
1832
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,EnumerateLoadedModulesW64
2504
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,FindDebugInfoFile
2712
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,FindDebugInfoFileEx
3008
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,FindExecutableImage
1780
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,FindExecutableImageEx
2080
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,FindFileInPath
2556
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,FindFileInSearchPath
3060
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,GetImageConfigInformation
2444
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,GetImageUnusedHeaderBytes
2280
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,GetTimestampForLoadedLibrary
2292
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageAddCertificate
296
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageDirectoryEntryToData
1732
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageDirectoryEntryToDataEx
300
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageEnumerateCertificates
2216
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageGetCertificateData
904
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageGetCertificateHeader
2224
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageGetDigestStream
1784
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageLoad
2948
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageNtHeader
2088
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageRemoveCertificate
1132
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageRvaToSection
1328
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageRvaToVa
2744
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImageUnload
900
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImagehlpApiVersion
1192
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ImagehlpApiVersionEx
1868
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,MakeSureDirectoryPathExists
1140
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,MapAndLoad
2372
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,MapDebugInformation
1104
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,MapFileAndCheckSumA
3084
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,MapFileAndCheckSumW
3224
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ReBaseImage
3336
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,ReBaseQHddvKE4
3428
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,RemovePrivateCvSymbolic
3520
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,RemovePrivateCvSymbolicEx
3644
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,RemoveRelocations
3736
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SearchTreeForFile
3840
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SetImageConfigInformation
3936
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SplitSymbols
4032
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,StackWalk
2432
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,StackWalk64
3248
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SymCleanup
3356
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SymEnumSym
3456
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SymEnumSymbols
3664
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SymEnumSymbolsForAddr
3812
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\imgengine.dll,SymEnumTypes
3956

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.43.165.105
esp-78-56-65-23.esp.artforcemusic.de	A 185.8.51.230	185.8.51.230

IP Address	Status	Action
121.254.136.27	Active	Moloch
164.124.101.2	Active	Moloch
185.8.51.230	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49193 -> 185.8.51.230:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49193 185.8.51.230:443	C=US, O=Let's Encrypt, CN=R3	CN=esp-78-56-65-23.esp.artforcemusic.de	2d:34:f5:b9:7a:59:08:9b:a2:0d:94:62:34:3c:61:33:ff:41:b6:c7

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 13, 2023, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2023, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2023, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2023, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2023, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2023, 9:02 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (46 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:01 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:02 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:05 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:05 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:05 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:06 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0
IsDebuggerPresent July 13, 2023, 9:07 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 events)

section	.itext
section	.didata
section	.global0
section	.global1
section	.global2

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 13, 2023, 9:03 a.m.	stacktrace: TMethodImplementationIntercept+0x8409f TMethodImplementationIntercept-0x2878dd imgengine+0xf32c7 @ 0x24f32c7 TMethodImplementationIntercept+0x83d1f TMethodImplementationIntercept-0x287c5d imgengine+0xf2f47 @ 0x24f2f47 TMethodImplementationIntercept+0x84019 TMethodImplementationIntercept-0x287963 imgengine+0xf3241 @ 0x24f3241 __dbk_fcall_wrapper+0x22eca TMethodImplementationIntercept-0x3a572 imgengine+0x34cb6 @ 0x2434cb6 __dbk_fcall_wrapper+0x22f57 TMethodImplementationIntercept-0x3a4e5 imgengine+0x34d43 @ 0x2434d43 TMethodImplementationIntercept+0x2eb366 TMethodImplementationIntercept-0x20616 imgengine+0x35a58e @ 0x275a58e TMethodImplementationIntercept+0x30105b TMethodImplementationIntercept-0xa921 imgengine+0x370283 @ 0x2770283 TMethodImplementationIntercept+0x119e0b TMethodImplementationIntercept-0x1f1b71 imgengine+0x189033 @ 0x2589033 TMethodImplementationIntercept+0x1199ea TMethodImplementationIntercept-0x1f1f92 imgengine+0x188c12 @ 0x2588c12 TMethodImplementationIntercept+0x1199a5 TMethodImplementationIntercept-0x1f1fd7 imgengine+0x188bcd @ 0x2588bcd TMethodImplementationIntercept+0x125341 TMethodImplementationIntercept-0x1e663b imgengine+0x194569 @ 0x2594569 BindImage+0x52 dbkFCallWrapperAddr-0x2483e imgengine+0x37ae02 @ 0x277ae02 rundll32+0x137d @ 0xff137d rundll32+0x1326 @ 0xff1326 rundll32+0x1901 @ 0xff1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 653400 registers.edi: 5 registers.eax: 653400 registers.ebp: 653480 registers.edx: 0 registers.ebx: 653628 registers.esi: 653692 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 13, 2023, 9:03 a.m.

stacktrace:

TMethodImplementationIntercept+0x8409f TMethodImplementationIntercept-0x2878dd imgengine+0xf32c7 @ 0x24f32c7
TMethodImplementationIntercept+0x83d1f TMethodImplementationIntercept-0x287c5d imgengine+0xf2f47 @ 0x24f2f47
TMethodImplementationIntercept+0x84019 TMethodImplementationIntercept-0x287963 imgengine+0xf3241 @ 0x24f3241
__dbk_fcall_wrapper+0x22eca TMethodImplementationIntercept-0x3a572 imgengine+0x34cb6 @ 0x2434cb6
__dbk_fcall_wrapper+0x22f57 TMethodImplementationIntercept-0x3a4e5 imgengine+0x34d43 @ 0x2434d43
TMethodImplementationIntercept+0x2eb366 TMethodImplementationIntercept-0x20616 imgengine+0x35a58e @ 0x275a58e
TMethodImplementationIntercept+0x30105b TMethodImplementationIntercept-0xa921 imgengine+0x370283 @ 0x2770283
TMethodImplementationIntercept+0x119e0b TMethodImplementationIntercept-0x1f1b71 imgengine+0x189033 @ 0x2589033
TMethodImplementationIntercept+0x1199ea TMethodImplementationIntercept-0x1f1f92 imgengine+0x188c12 @ 0x2588c12
TMethodImplementationIntercept+0x1199a5 TMethodImplementationIntercept-0x1f1fd7 imgengine+0x188bcd @ 0x2588bcd
TMethodImplementationIntercept+0x125341 TMethodImplementationIntercept-0x1e663b imgengine+0x194569 @ 0x2594569
BindImage+0x52 dbkFCallWrapperAddr-0x2483e imgengine+0x37ae02 @ 0x277ae02
rundll32+0x137d @ 0xff137d
rundll32+0x1326 @ 0xff1326
rundll32+0x1901 @ 0xff1901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 653400
registers.edi: 5
registers.eax: 653400
registers.ebp: 653480
registers.edx: 0
registers.ebx: 653628
registers.esi: 653692
registers.ecx: 7

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (50 out of 953 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0311a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:02 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74101000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0311a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74101000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0311a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74221000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 13, 2023, 9:01 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003a0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 13, 2023, 9:03 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00eb9200', u'virtual_address': u'0x00d1b000', u'entropy': 7.972022290304701, u'name': u'.global2', u'virtual_size': u'0x00eb90a0'}

entropy

7.9720222903

description

A section with a high entropy has been found

entropy

0.999602187966

description

Overall entropy of this PE file is high

Executes one or more WMI queries (2 events)

wmi	SELECT * FROM AntiVirusProduct
wmi	SELECT Caption FROM Win32_OperatingSystem

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.511f56b74826a4e0
K7AntiVirus	Spyware ( 0057e9881 )
K7GW	Spyware ( 0057e9881 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Spy.Mekotio.CN
Cynet	Malicious (score: 100)
APEX	Malicious
F-Secure	Heuristic.HEUR/AGEN.1338326
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1338326
Gridinsoft	Trojan.Heur!.02212020
AhnLab-V3	Trojan/Win.Generic.R568749
Rising	Spyware.Mekotio!8.F5DF (TFE:5:hylQq4PvDCH)
DeepInstinct	MALICIOUS

imgengine.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All