Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.22 06:09
audiodg.exe
09.22 06:09
psfod.exe
09.22 06:09
73EtsZxIoDetWTu.exe
09.22 06:09
otqp9.exe
09.22 06:09
xx.exe
09.22 06:09
fck.exe
09.22 06:09
LummaC222222.exe
09.22 06:09
seethebestwayforunders...
09.22 06:09
Name.exe
09.22 06:09
needmoney.exe

Latest News
09.23 08:09
컬러풀대구 웨딩박람회, 오는 10월 엑스...
09.23 08:09
3D Printing a Wire-Wra...
09.23 07:09
Three Media Moguls Are...
09.23 07:09
Harris Vows to Grow AI...
09.23 07:09
September 23, 2024
09.23 06:09
Apollo to Offer Multib...
09.23 05:09
The Russian APT Tool M...
09.23 05:09
Hackaday Links: Septem...
09.23 05:09
Fed’s Rate Cut Comes W...
09.23 05:09
Schluss mit Bildmanipu...

Summary | ZeroBOX

gpupdate.exe

CobaltStrike Malicious Library UPX Malicious Packer PE64 PE File OS Processor Check

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 12, 2023, 7:43 a.m.	Dec. 12, 2023, 8 a.m.

Size	1.6MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`d03630dc968aae232a10fc0507727977`
SHA256	`c9b5ab87aa09c521ab00abe664291bb2e833f018f0c8f3c00b719e35f101f140`
CRC32	`93E633B2`
ssdeep	`12288:0zYbDqnj2GqNqHUDjvAYE9XuLk4AfANMMBKoociXh8NPhLXlD1zXxMAPqNaoT+r5:Hbunj2Giq0fIIKoo4NPhLCEmTvkEhuN`
PDB Path	E:\Holy Quasimodo\Documents\contract-203038\Assembly\x64\Debug\Assembly.pdb
Yara	Malicious_Library_Zero - Malicious_Library Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file HKTL_CobaltStrike_Beacon_Strings - Identifies strings used in Cobalt Strike Beacon DLL OS_Processor_Check_Zero - OS Processor Check

gpupdate.exe "C:\Users\test22\AppData\Local\Temp\gpupdate.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

E:\Holy Quasimodo\Documents\contract-203038\Assembly\x64\Debug\Assembly.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section	.textbss
section	.msvcjmc
section	.00cfg
section	_RDATA

The executable uses a known packer (1 event)

packer

Microsoft Visual C++ V8.0 (Debug)

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 12, 2023, 7:43 a.m.	stacktrace: gpupdate+0x79063 @ 0x13f639063 gpupdate+0x7b367 @ 0x13f63b367 gpupdate+0x7b014 @ 0x13f63b014 gpupdate+0x7d2f9 @ 0x13f63d2f9 gpupdate+0x7d19e @ 0x13f63d19e gpupdate+0x7d05e @ 0x13f63d05e gpupdate+0x7d38e @ 0x13f63d38e BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 63 40 3c 48 8b 8d 80 02 00 00 48 03 c8 48 8b exception.symbol: gpupdate+0x79063 exception.instruction: movsxd rax, dword ptr [rax + 0x3c] exception.module: gpupdate.exe exception.exception_code: 0xc0000005 exception.offset: 495715 exception.address: 0x13f639063 registers.r14: 0 registers.r15: 0 registers.rcx: 5360070946 registers.rsi: 0 registers.r10: 3969660 registers.rbx: 0 registers.rsp: 2095312 registers.r11: 8796092695074 registers.r8: 51543015464 registers.r9: 55837655081 registers.rdx: 2093512 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0