popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

check.exe

UPX Malicious Library Downloader HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Http API persistence FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential OS Processor Check AntiDebug PE File AntiVM PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Jan. 24, 2024, 7:53 a.m. Jan. 24, 2024, 8:04 a.m.
Size 1.6MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 bdfe4d6a63e6367f4cba94b395860a02
SHA256 98c054d8fce160c7d7a3f4dd23afbe567fba91ac2c3c4741976519db22ddf2d2
CRC32 7C8A7990
ssdeep 24576:GubsnafAPyjSzUX6hvlmELPxWf78ndZsr2ciexBIyFZmcQQvhbVvWDf5ikuMnLOv:YI4HdNJW4dOr2cic7FlQWRkrwmnLK
PDB Path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
pdb_path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
section .didat
resource name PNG
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
gfsa+0x188e6d @ 0xcf8e6d
gfsa+0x17d08b @ 0xced08b
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636336
registers.edi: 14553328
registers.eax: 0
registers.ebp: 1636364
registers.edx: 2
registers.ebx: 2867845621
registers.esi: 12034048
registers.ecx: 36779908
1 0 0

__exception__

 stacktrace: 
gfsa+0x188e6d @ 0xcf8e6d
gfsa+0x17d08b @ 0xced08b
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636336
registers.edi: 1636336
registers.eax: 0
registers.ebp: 1636364
registers.edx: 2
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636372
1 0 0

__exception__

 stacktrace: 
gfsa+0x188e6d @ 0xcf8e6d
gfsa+0x17d08b @ 0xced08b
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636336
registers.edi: 1636336
registers.eax: 0
registers.ebp: 1636364
registers.edx: 2
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636372
1 0 0

__exception__

 stacktrace: 
gfsa+0x187f4c @ 0xcf7f4c
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 13349360
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 7839744
registers.esi: 12034048
registers.ecx: 12034048
1 0 0

__exception__

 stacktrace: 
gfsa+0x1881eb @ 0xcf81eb
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 13349360
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 7839744
registers.esi: 12034048
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
gfsa+0x1881eb @ 0xcf81eb
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x1881eb @ 0xcf81eb
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x1881eb @ 0xcf81eb
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc52d5
exception.instruction: div eax
exception.module: gfsa.exe
exception.exception_code: 0xc0000094
exception.offset: 807637
exception.address: 0xc352d5
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 0
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x1881eb @ 0xcf81eb
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 12800747
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x1881eb @ 0xcf81eb
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x1881eb @ 0xcf81eb
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc52d5
exception.instruction: div eax
exception.module: gfsa.exe
exception.exception_code: 0xc0000094
exception.offset: 807637
exception.address: 0xc352d5
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 0
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x18835d @ 0xcf835d
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 13349360
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 7839744
registers.esi: 12034048
registers.ecx: 1636292
1 0 0

__exception__

 stacktrace: 
gfsa+0x18835d @ 0xcf835d
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x18835d @ 0xcf835d
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x18835d @ 0xcf835d
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc52d5
exception.instruction: div eax
exception.module: gfsa.exe
exception.exception_code: 0xc0000094
exception.offset: 807637
exception.address: 0xc352d5
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 0
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x18835d @ 0xcf835d
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc52d5
exception.instruction: div eax
exception.module: gfsa.exe
exception.exception_code: 0xc0000094
exception.offset: 807637
exception.address: 0xc352d5
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 0
registers.ebx: 12800747
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x18852a @ 0xcf852a
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 13349360
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 7839744
registers.esi: 12034048
registers.ecx: 3171667525
1 0 0

__exception__

 stacktrace: 
gfsa+0x18852a @ 0xcf852a
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x18852a @ 0xcf852a
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x18852a @ 0xcf852a
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x18852a @ 0xcf852a
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x18852a @ 0xcf852a
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: 0f 0b e8 11 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc5300
exception.instruction: ud2
exception.module: gfsa.exe
exception.exception_code: 0xc000001d
exception.offset: 807680
exception.address: 0xc35300
registers.esp: 1636264
registers.edi: 1636264
registers.eax: 0
registers.ebp: 1636292
registers.edx: 2
registers.ebx: 12800790
registers.esi: 0
registers.ecx: 1636300
1 0 0

__exception__

 stacktrace: 
gfsa+0x188619 @ 0xcf8619
gfsa+0x17d0a2 @ 0xced0a2
gfsa+0x270f68 @ 0xde0f68

exception.instruction_r: f7 f0 e8 3c 2d 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: gfsa+0xc52d5
exception.instruction: div eax
exception.module: gfsa.exe
exception.exception_code: 0xc0000094
exception.offset: 807637
exception.address: 0xc352d5
registers.esp: 1636264
registers.edi: 13349360
registers.eax: 0
registers.ebp: 1636292
registers.edx: 0
registers.ebx: 7839744
registers.esi: 12034048
registers.ecx: 64644
1 0 0

__exception__

 stacktrace: 
gfsa+0x3ecc @ 0xb73ecc
gfsa+0x1ee1 @ 0xb71ee1
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x9b0fff
registers.esp: 156957352
registers.edi: 1636352
registers.eax: 156957476
registers.ebp: 156957488
registers.edx: 0
registers.ebx: 3040576
registers.esi: 3051416
registers.ecx: 10158080
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00830000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00950000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00970000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00980000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022e4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 147456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02314000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02324000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02314000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02324000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02328000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02328000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02328000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02328000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02328000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2224
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000004d20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\RarSFX1\gfsa.exe
file C:\Users\test22\AppData\Local\Temp\RarSFX0\work.exe
file C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat
file C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat
file C:\Users\test22\AppData\Local\Temp\RarSFX0\work.exe
file C:\Users\test22\AppData\Local\Temp\RarSFX1\gfsa.exe
file C:\Users\test22\AppData\Local\Temp\RarSFX0\work.exe
file C:\Users\test22\AppData\Local\Temp\RarSFX1\gfsa.exe
url http://crl.comodo.net/TrustedCertificateServices.crl0
url http://users.ocsp.d-trust.net03
url http://crl.ssc.lt/root-b/cacrl.crl0
url http://crl.securetrust.com/STCA.crl0
url http://crl.securetrust.com/SGCA.crl0
url http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url http://www.ssc.lt/cps03
url http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url http://www.pkioverheid.nl/policies/root-policy0
url http://cps.chambersign.org/cps/chambersroot.html0
url http://www.e-szigno.hu/SZSZ/0
url http://www.entrust.net/CRL/Client1.crl0
url http://crl.chambersign.org/publicnotaryroot.crl0
url http://crl.comodo.net/AAACertificateServices.crl0
url http://www.certplus.com/CRL/class3.crl0
url http://logo.verisign.com/vslogo.gif0
url http://www.acabogacia.org/doc0
url http://www.disig.sk/ca/crl/ca_disig.crl0
url https://www.catcert.net/verarrel
url http://www.sk.ee/cps/0
url http://www.quovadis.bm0
url https://www.catcert.net/verarrel05
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url http://crl.chambersign.org/chambersroot.crl0
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url http://crl.globalsign.net/root-r2.crl0
url http://certificates.starfieldtech.com/repository/1604
url http://www.d-trust.net0
url http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url http://crl.ssc.lt/root-a/cacrl.crl0
url http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url http://www.certicamara.com/certicamaraca.crl0
url http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url http://www.post.trust.ie/reposit/cps.html0
url http://qual.ocsp.d-trust.net0
url http://www2.public-trust.com/crl/ct/ctroot.crl0
url http://www.certicamara.com0
url http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url http://www.comsign.co.il/cps0
url http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
url http://www.signatur.rtr.at/de/directory/cps.html0
url http://www.globaltrust.info0
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Install itself for autorun at Windows startup rule Persistence
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
file C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat
Process injection Process 2068 resumed a thread in remote process 2136
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 2136
1 0 0