Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 7, 2024, 9:30 a.m.	June 7, 2024, 9:38 a.m.

Size	2.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`6cf863b98e0282f50e8d5f90f611f664`
SHA256	`7e2d83b2683c93d79c4168abc7c8d3f6072b0744365c92161194ae0a24f2d920`
CRC32	`08092226`
ssdeep	`49152:bkay7C/f8R+II5hIp9uTOzNnzOxG0BKTFYkFENrFyb6QOnB:Qay7WHIIkpAWhzOrItFENrFfn`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

RuntimeBroker.exe "C:\Users\test22\AppData\Local\Temp\RuntimeBroker.exe"
2564
- wininit.dat C:\window\wininit.dat
  2652

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.26.5.15	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 7, 2024, 9:22 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (50 out of 203 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: Huge pages support was successfully enabled, but reboot required to use it console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: ABOUT console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: XMRig/6.18.0-C3Pool console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: MSVC/2019 console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: LIBS libuv/1.41.0 OpenSSL/1.1.1k hwloc/2.7.1 console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: HUGE PAGES console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: unavailable console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: 1GB PAGES console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: unavailable console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: CPU Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz (1) console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: 64-bit console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: AES console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: VM console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: L2: console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: 0.5 MB console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: L3: console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: 18.0 MB console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: C console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: T console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: NUMA: console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: MEMORY console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: GB console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: MOTHERBOARD console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: innotek GmbH console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: VirtualBox console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: DONATE console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: ASSEMBLY auto: console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: intel console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: POOL #1 console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: auto.c3pool.org:80 console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: algo console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: auto console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: COMMANDS console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: h console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: ashrate, console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: p console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: ause, console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: r console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: esume, console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: re console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: s console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: ults, console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: c console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: onnection console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: OPENCL console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: disabled console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: CUDA console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: disabled console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: benchmk console_handle: 0x0000000000000013	1	1
WriteConsoleW June 7, 2024, 9:22 a.m.	buffer: STARTING ALGO PERFORMANCE CALIBRATION (with console_handle: 0x0000000000000013	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 7, 2024, 9:22 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

Allocates read-write-execute memory (usually to unpack itself) (36 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 7, 2024, 9:30 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000540000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000207b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000207c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000207d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000207e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000207f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020800000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020b60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020b70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020bc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020c60000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020c70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020c80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020ca0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020cb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020bb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020cc0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020cd0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020ce0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020cf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020d00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020e10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020e20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020e80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:23 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020f90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:24 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020fd0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:24 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000020fe0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:24 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000021120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:24 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000021130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:24 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000021140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:24 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000021180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:24 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000021190000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 7, 2024, 9:24 a.m.	process_identifier: 2652 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000211a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Foreign language identified in PE resource (48 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062da54

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062da54

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062da54

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062df44

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062df44

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062df44

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062df44

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f64c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f64c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f64c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f64c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f64c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f64c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f64c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f64c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f64c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f64c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f64c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f64c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f64c

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f64c

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f79c

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0062f79c

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x006309e4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x006309e4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x006309e4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x006309e4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x006309e4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x006309e4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x006309e4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x006309e4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x006309e4

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x006309e4

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0063142c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0063142c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0063142c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0063142c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0063142c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0063142c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0063142c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0063142c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0063142c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0063142c

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0063142c

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00631478

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00631478

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00631478

size

0x00000022

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00635a34

size

0x000002c8

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (14 events)

Time & API	Arguments	Status	Return
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: mobsync.exe process_identifier: 2288	1	1
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: pw.exe process_identifier: 2332	1	1
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taskhost.exe process_identifier: 2360	1	1
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: wininit.dat process_identifier: 2652	1	1
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: conhost.exe process_identifier: 2688	1	1
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taskhost.exe process_identifier: 2752	1	1
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: cmd.exe process_identifier: 2832	1	1
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: cmd.exe process_identifier: 2896	1	1
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: conhost.exe process_identifier: 2904	1	1
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: conhost.exe process_identifier: 2948	1	1
Process32NextW June 7, 2024, 9:31 a.m.	snapshot_handle: 0x00000118 process_name: mscorsvw.exe process_identifier: 1336	1	1
Process32NextW June 7, 2024, 9:31 a.m.	snapshot_handle: 0x00000118 process_name: svchost.exe process_identifier: 196	1	1
Process32NextW June 7, 2024, 9:31 a.m.	snapshot_handle: 0x00000118 process_name: cmd.exe process_identifier: 2248	1	1
Process32NextW June 7, 2024, 9:32 a.m.	snapshot_handle: 0x00000124 process_name: WmiPrvSE.exe process_identifier: 2824	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 7, 2024, 9:22 a.m.	flags: 14 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00207000', u'virtual_address': u'0x0042e000', u'entropy': 7.999895907077937, u'name': u'UPX1', u'virtual_size': u'0x00207000'}

entropy

7.99989590708

description

A section with a high entropy has been found

entropy

0.997837058399

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

wininit.dat

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 241 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: coJb process_identifier: 2688		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: coJ process_identifier: 2688		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: coJÐ process_identifier: 2688		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJĈ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJŀ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJŸ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJư process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJǨ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJȠ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJɘ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJʐ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJˈ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJ̀ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJ̸ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJͰ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJΨ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJϠ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJИ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJѐ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJ҈ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJӀ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJӸ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJ԰ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJը process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJ֠ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJט process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJؐ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: cm: ģ process_identifier: 2832		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJڀ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJڷ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJۭ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJܣ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJݙ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJޏ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJ߅ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJ߻ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJ࠱ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJࡧ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJ࢝ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJ࣓ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJउ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJि process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJॵ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJফ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJৡ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJਗ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJ੍ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJઃ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJહ process_identifier: 2752		0	0
Process32NextW June 7, 2024, 9:30 a.m.	snapshot_handle: 0x00000124 process_name: taJ૯ process_identifier: 2752		0	0

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

104.26.5.15

Created a service where a service was also not started (4 events)

Time & API	Arguments	Status	Return
CreateServiceW June 7, 2024, 9:22 a.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\window\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\window\WinRing0x64.sys desired_access: 983551 service_handle: 0x000000000037fa90 error_control: 1 service_type: 1 service_manager_handle: 0x000000000037fa60	1	3668624
CreateServiceW June 7, 2024, 9:23 a.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\window\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\window\WinRing0x64.sys desired_access: 983551 service_handle: 0x00000000003cf100 error_control: 1 service_type: 1 service_manager_handle: 0x00000000003cf0d0	1	3993856
CreateServiceW June 7, 2024, 9:24 a.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\window\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\window\WinRing0x64.sys desired_access: 983551 service_handle: 0x00000000003cf160 error_control: 1 service_type: 1 service_manager_handle: 0x00000000003cf1c0	1	3993952
CreateServiceW June 7, 2024, 9:24 a.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\window\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\window\WinRing0x64.sys desired_access: 983551 service_handle: 0x00000000003cf1f0 error_control: 1 service_type: 1 service_manager_handle: 0x00000000003cf160	1	3994096

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 7, 2024, 9:22 a.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Dacic.4!c
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Dorv.28643
Skyhigh	BehavesLike.Win32.Generic.vc
ALYac	Generic.Dacic.1.BitCoinMiner.A.DFFDCA7E
Cylance	Unsafe
VIPRE	Generic.Dacic.1.BitCoinMiner.A.DFFDCA7E
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Adware ( 004b94231 )
BitDefender	Generic.Dacic.1.BitCoinMiner.A.DFFDCA7E
K7GW	Adware ( 004b94231 )
Cybereason	malicious.98e028
Arcabit	Generic.Dacic.1.BitCoinMiner.A.DFFDCA7E
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/FlyStudio.Packed.AD potentially unwanted
APEX	Malicious
McAfee	Artemis!6CF863B98E02
Avast	Win64:CoinminerX-gen [Trj]
ClamAV	Win.Coinminer.Generic-7151253-0
Kaspersky	HEUR:Trojan.Win32.Miner.gen
Alibaba	Trojan:Win32/Coinminer.449
MicroWorld-eScan	Generic.Dacic.1.BitCoinMiner.A.DFFDCA7E
Rising	HackTool.VulnDriver/x64!1.D7DB (CLOUD)
Emsisoft	Generic.Dacic.1.BitCoinMiner.A.DFFDCA7E (B)
DrWeb	Trojan.StartPage1.63203
TrendMicro	TROJ_GEN.R011C0WF424
McAfeeD	Real Protect-LS!6CF863B98E02
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.6cf863b98e0282f5
Sophos	Generic Reputation PUA (PUA)
Ikarus	Trojan.Win32
Google	Detected
Antiy-AVL	RiskWare/Win32.FlyStudio.a
Kingsoft	Win32.Trojan.Miner.gen
Gridinsoft	Trojan.Win32.CoinMiner.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	VHO:Trojan.Win32.Miner.gen
GData	Win32.Application.PSE.1OV7PVV
Varist	W32/ABRisk.IYZQ-5926
AhnLab-V3	Malware/Win32.Generic.C3115465
BitDefenderTheta	Gen:NN.ZexaF.36806.coKfaODhXugb
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.FlyStudio.UPX
TrendMicro-HouseCall	TROJ_GEN.R011C0WF424
Yandex	Trojan.GenAsa!sMNOAPEjgxc
MAX	malware (ai score=88)
MaxSecure	Trojan.Malware.300983.susgen

RuntimeBroker.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All