Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 13, 2024, 2:03 a.m.	Jan. 13, 2024, 2:03 a.m.

Size	3.2MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`cdad3cdfd93b23b07ad59be8cf406af6`
SHA256	`3e7a582a8859f1f836685b16d14048c1130326bbb296066e1c85d3cdc07f3d52`
CRC32	`5AE0E3F5`
ssdeep	`49152:lncxbi7BaNCaQ4KLyGKo3LJ+sD1oLQ+PUWrxUwAedoF75RVYC2d:2x0bLyGjdF1kKeK1QC2d`
PDB Path	D:\a\OBSPlugin\OBSPlugin\installers-src\win\x64\Release\PtzObsPluginInstaller.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

PtzObsPluginInstaller.exe "C:\Users\test22\AppData\Local\Temp\PtzObsPluginInstaller.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

D:\a\OBSPlugin\OBSPlugin\installers-src\win\x64\Release\PtzObsPluginInstaller.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 13, 2024, 2:03 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

BIN

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 13, 2024, 2:03 a.m.	stacktrace: CtfImeIsIME+0x8530 TF_IsCtfmonRunning-0xe28 msctf+0x4a278 @ 0x7fefee9a278 TF_IsCtfmonRunning+0x2f4 TF_RunInputCPL-0x1a19c msctf+0x4b394 @ 0x7fefee9b394 SetInputScope+0x4662 DllRegisterServer-0x10f5e msctf+0x2e1e2 @ 0x7fefee7e1e2 TF_GetInputScope+0x19f3 CtfImeDestroyThreadMgr-0x20a9 msctf+0x14bcb @ 0x7fefee64bcb TF_GetInputScope+0x2ae9 CtfImeDestroyThreadMgr-0xfb3 msctf+0x15cc1 @ 0x7fefee65cc1 TF_CanUninitialize+0x74 CtfNotifyIME-0x1318 msctf+0x21ea4 @ 0x7fefee71ea4 TF_CleanUpPrivateMessages+0xf48 DllGetClassObject-0x514 msctf+0x180d4 @ 0x7fefee680d4 TF_CleanUpPrivateMessages+0xf26 DllGetClassObject-0x536 msctf+0x180b2 @ 0x7fefee680b2 TF_CleanUpPrivateMessages+0xc7b DllGetClassObject-0x7e1 msctf+0x17e07 @ 0x7fefee67e07 TF_CleanUpPrivateMessages+0xbb8 DllGetClassObject-0x8a4 msctf+0x17d44 @ 0x7fefee67d44 RtlProcessFlsData+0x84 LdrUnlockLoaderLock-0x7c ntdll+0x2b894 @ 0x76d5b894 LdrShutdownProcess+0xa9 NtdllDialogWndProc_W-0x43b ntdll+0x24249 @ 0x76d54249 RtlExitUserProcess+0x90 LdrShutdownProcess-0x20 ntdll+0x24180 @ 0x76d54180 ptzobsplugininstaller+0x13bc5 @ 0x13f373bc5 ptzobsplugininstaller+0x13b90 @ 0x13f373b90 ptzobsplugininstaller+0x75f4 @ 0x13f3675f4 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: ff 50 18 89 9e f8 08 00 00 48 3b fb 74 28 48 39 exception.symbol: CtfImeIsIME+0x8530 TF_IsCtfmonRunning-0xe28 msctf+0x4a278 exception.instruction: call qword ptr [rax + 0x18] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 303736 exception.address: 0x7fefee9a278 registers.r14: 0 registers.r15: 0 registers.rcx: 5813216 registers.rsi: 0 registers.r10: 1 registers.rbx: 0 registers.rsp: 2882320 registers.r11: 0 registers.r8: 2880912 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1950540584 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 13, 2024, 2:03 a.m.

stacktrace:

CtfImeIsIME+0x8530 TF_IsCtfmonRunning-0xe28 msctf+0x4a278 @ 0x7fefee9a278
TF_IsCtfmonRunning+0x2f4 TF_RunInputCPL-0x1a19c msctf+0x4b394 @ 0x7fefee9b394
SetInputScope+0x4662 DllRegisterServer-0x10f5e msctf+0x2e1e2 @ 0x7fefee7e1e2
TF_GetInputScope+0x19f3 CtfImeDestroyThreadMgr-0x20a9 msctf+0x14bcb @ 0x7fefee64bcb
TF_GetInputScope+0x2ae9 CtfImeDestroyThreadMgr-0xfb3 msctf+0x15cc1 @ 0x7fefee65cc1
TF_CanUninitialize+0x74 CtfNotifyIME-0x1318 msctf+0x21ea4 @ 0x7fefee71ea4
TF_CleanUpPrivateMessages+0xf48 DllGetClassObject-0x514 msctf+0x180d4 @ 0x7fefee680d4
TF_CleanUpPrivateMessages+0xf26 DllGetClassObject-0x536 msctf+0x180b2 @ 0x7fefee680b2
TF_CleanUpPrivateMessages+0xc7b DllGetClassObject-0x7e1 msctf+0x17e07 @ 0x7fefee67e07
TF_CleanUpPrivateMessages+0xbb8 DllGetClassObject-0x8a4 msctf+0x17d44 @ 0x7fefee67d44
RtlProcessFlsData+0x84 LdrUnlockLoaderLock-0x7c ntdll+0x2b894 @ 0x76d5b894
LdrShutdownProcess+0xa9 NtdllDialogWndProc_W-0x43b ntdll+0x24249 @ 0x76d54249
RtlExitUserProcess+0x90 LdrShutdownProcess-0x20 ntdll+0x24180 @ 0x76d54180
ptzobsplugininstaller+0x13bc5 @ 0x13f373bc5
ptzobsplugininstaller+0x13b90 @ 0x13f373b90
ptzobsplugininstaller+0x75f4 @ 0x13f3675f4
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: ff 50 18 89 9e f8 08 00 00 48 3b fb 74 28 48 39
exception.symbol: CtfImeIsIME+0x8530 TF_IsCtfmonRunning-0xe28 msctf+0x4a278
exception.instruction: call qword ptr [rax + 0x18]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 303736
exception.address: 0x7fefee9a278
registers.r14: 0
registers.r15: 0
registers.rcx: 5813216
registers.rsi: 0
registers.r10: 1
registers.rbx: 0
registers.rsp: 2882320
registers.r11: 0
registers.r8: 2880912
registers.r9: 0
registers.rdx: 0
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1950540584
registers.r13: 0

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.Common.B0993800
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win64.Dropper.wh
ALYac	Gen:Variant.Lazy.375904
Cylance	unsafe
VIPRE	Gen:Variant.Lazy.375904
BitDefender	Gen:Variant.Lazy.375904
Cybereason	malicious.c1ea61
Arcabit	Trojan.Lazy.D5BC60
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
McAfee	Artemis!CDAD3CDFD93B
Avast	Win64:MalwareX-gen [Trj]
MicroWorld-eScan	Gen:Variant.Lazy.375904
Emsisoft	Gen:Variant.Lazy.375904 (B)
FireEye	Gen:Variant.Lazy.375904
Ikarus	Trojan.Win64.Injector
Webroot	W32.Malware.Gen
Google	Detected
MAX	malware (ai score=84)
Antiy-AVL	Trojan/Win32.PossibleThreat
GData	Gen:Variant.Lazy.375904
Varist	W64/ABRisk.ETEN-1539
DeepInstinct	MALICIOUS
Malwarebytes	Neshta.Virus.FileInfector.DDS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H09JR23
MaxSecure	Trojan.Malware.219919399.susgen
AVG	Win64:MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (D)

PtzObsPluginInstaller.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All