popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

guardservice.exe

Emotet Generic Malware Malicious Library ASPack UPX Malicious Packer ftp Lnk Format GIF Format PE File dll OS Processor Check PE32 DllRegisterServer
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 2, 2024, 5:18 p.m. Aug. 2, 2024, 5:25 p.m.
Size 264.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d0e4beee4073fbe4ffeaf89c052eab2b
SHA256 fce63851c1d0a4bf68fb415fac1dae78bcadd13b8fd0e8acb2d4bd84c843b2d3
CRC32 208A76E8
ssdeep 3072:3TQ+RgPx3Bl6wY6PGrmemXLaQwZz4Iux6Yk2UrMKN4uryMXgVI4bHCm7AmyRctPO:3h6Mmr21v4KSEyVyRSxo
Yara
  • ftp_command - ftp command
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
sgz-1302338321.cos.ap-guangzhou.myqcloud.com
A 159.75.57.69
CNAME gz.file.myqcloud.com
A 159.75.57.35
A 159.75.57.36
159.75.57.69
IP Address Status Action
159.75.57.69 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2050736 ET INFO Tencent Cloud Storage Domain in DNS Lookup (myqcloud .com) Misc activity
TCP 192.168.56.103:49163 -> 159.75.57.69:443 2050737 ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI) Misc activity
TCP 192.168.56.103:49163 -> 159.75.57.69:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49163 -> 159.75.57.69:443 2050737 ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI) Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49163
159.75.57.69:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G3 C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, CN=*.cos.ap-guangzhou.myqcloud.com 92:52:87:fc:ce:db:af:62:b4:ce:28:44:27:01:5e:3d:63:8d:d7:12

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
packer Armadillo v1.71
request GET https://sgz-1302338321.cos.ap-guangzhou.myqcloud.com/store_app/Update.exe
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0005d058 size 0x00000264
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\guardservice.exe.lnk
file C:\Users\test22\AppData\Local\Temp\Update.exe
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\guardservice.exe.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C:\Users\test22\AppData\Local\Temp\guardservice.exe.lnk
file C:\Users\test22\AppData\Local\Temp\Update.exe
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000290
process_name: mobsync.exe
process_identifier: 1668
1 1 0

Process32NextW

 snapshot_handle: 0x00000290
process_name: sdclt.exe
process_identifier: 508
1 1 0

Process32NextW

 snapshot_handle: 0x00000290
process_name: taskhost.exe
process_identifier: 1508
1 1 0

Process32NextW

 snapshot_handle: 0x00000290
process_name: cmd.exe
process_identifier: 1488
1 1 0

Process32NextW

 snapshot_handle: 0x00000290
process_name: conhost.exe
process_identifier: 808
1 1 0

Process32NextW

 snapshot_handle: 0x00000290
process_name: SearchProtocolHost.exe
process_identifier: 1712
1 1 0

Process32NextW

 snapshot_handle: 0x00000290
process_name: SearchFilterHost.exe
process_identifier: 1984
1 1 0

Process32NextW

 snapshot_handle: 0x00000290
process_name: guardservice.exe
process_identifier: 496
1 1 0

Process32NextW

 snapshot_handle: 0x00000290
process_name: pw.e糀ˆ
process_identifier: 140
0 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $LôùT•—•—•—‹‰™#•—s‰› •—^Š„%•—jŠ„•—•–u——>³Օ—>³œr•—àŠœx•—àŠ•—•—6•—ϓ‘ •—Rich•—PEL?•Yfà à À N½ ð @ /P()à-€°ð ”.textçÜ à  `.rdata‚^ð `ð @@.dataè€P) P)@À.rsrc€°à-Àð*@@
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: p»á»°Ê§°Ü!701 ½âÎöURLµØַʧ°Ü!700 µ±Ç°ÏµÍ³²»Ö§³ÖWinHttp·þÎñ!1 A± AGþ@mAvA:A<A™AA& A:-ð¿"#ÒýºÅ=deleted=H¯¼šò×z>SkinH_AttachResComet.WndShadowComet.WndShadow.ColorComet.WndShadow.SizeComet.WndShadow.ProcSysShadowStatic @Àb@Y@p@ð@æMZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ˆmÕ̆̆̆·c†Î†Oc †Õ†Bw\†Í†Ow^†Ç†Ì†%†úY†}†úY †±† y†Í†3_†Í†Rich̆PEL† Mà! àÀ0¢ а À P± ` ô¯ \° ôÿ°» UPX0À€àUPX1àÐÖ@à.rsrc° Ú@À3.05UPX!  ¢d|þ±ýœ‰ (Ò¼ &ºÿ·ÿÿ¸Žˆè¤ƒì SW‹ÙÙԋ} …ÿ~Z‹·ÿ¿ÿEVpMÔ*ƒ‹Føÿvüƒeü"؉EMkíw)͋‹Ëä6 èmÓ4ì ð@PB;ÿu÷ÿÿû؃MüÿۃƒÆOYu®^‹Mô_[d‰ ÁvûÿÉÂV‹ñ3ÀjNŠ‰AAiðûÍÆ^ÃÿquYÃW¬?˜à?@SVW‰Mä[]DìQS‹þûïÿÿP$3ö;Æ…®9u솅‹=4;A{ nð HQƒèQ\p{ðQVSf(…À^àupδüVP°`ðòè$´ÆEüPÍ÷¶‹M¸"F,Ô  %p;3D´ äøkð†Û¸)åY’ÿ×F;4,r¼ç^éÞàoï;Òàëåÿ1ÿGÃU‹ìÛ ¶$AZ ¸$89tƒþíÿÁÀ„ðròƒ}t pëÿpëv0÷ÝòÜPQÞÓÜfmcá±-n¾ œù3Û9_~/ðö*¾¾G ‹4˜|@ >u¥}¨X"ëTæQP0ÿ­âv1C;Z|Ó^6Ãbt$…ö~j Ãþû¹p`<±ËNuñ^p‹D$Úÿ{w\$IW+s–ÿ+ÇtHtHu ‹þë ýþp™+‹øÑÿWßÿ3‡¶+xÞ÷V'G1U;íÿ"I3í9n~j-ÿE;"é1¸`|îI]J%ØQáñ=LSY/x]aÛÀ\öŽÄ‹A®¯ »Ý@8]ºˆu¿fH¨ª}4ًªù"H"Ðp8jžÔØ¢vk°Ø°ÐPÕè $vþkfǂа;ûÆÎ`¨(‡sØsxˆˆëþlC[ü}¨WQ‹ÄòºReOΡ t\¿«ýP!°hvnÏ3‹È àÝ Zë5,'oíiºðë¢f®¨& uVfî þÿ;Ãtf=uKf÷ØÀ ä#E°QÙvA»øöìPSìð;óæÛ¢yœ=9:ä4oûއ£PÛ×éǪu#kƒ:d·b9K·ûغ5Øê uÖ¨e—[ n×´ü4\P°t ƒ{²£Óë{FXWê? KÇð¶F¸ëRj<½’Q®ÄM\ÀjçUž¦ ´ÄÇ 7¬uxY pÄ¿jáab§ÄïWV7˜ LŸ>AÿP ðÛÿ,¦ ;H2ѨúŒèýÿÿ!ïûÀm‹ÇëÙÆëÉéÿoúO¨u €|J².t²D‹L$ ˆ¤ûÛÿ‹Ð€âöÚÒ $€Â.ˆQ#´•Êe$ &%ƒmûÿöØÀ€a$:DA»~_(fƒ8@ E>ìÍh/€PÇlXì °“<†u?†v¿nBøPV“,a8®uXûØPW¤m;žã„À–$PÊÿ5Jˆ [õ1ÛZ^É×üÔg¸‰ì ƒxrXët0뀓Nõül¸e6Yƒ"T{Ðî ¤êéW ¿äp‹Còð¨ˆþím:ÀäEÈÊü‹ƒøu{OÑ*ˆ<¥…éW.Ê¢vsuë憈ÝxœˆÇÓeSà~ìPÙWÖé݃j‹"Áh¼f…jcK›¦}c>jNŠ¾§Ûäë#¢g€ÌØØÇ$Gv؏È?ªÌýðCöéþ€“|6_^3ÀíWy’àe¨WjDYhÅö]ªó«f«z_¦t„ VàQòÿ0ƒ¨ \PPènGŽ]ä‚èÚÕ àûœ\$äæí>¸kUäR‰B‹˜Q´eè¸ê“tr}ᗠÌPÍä2ÀëVÁµÏeœè7 QV‚ÃA° _ì l0Š «P„‰XÃ+Põòè°$Bujö­^áLE÷ˆV,€æ¿yk„ Œ‹@;ɝhÿÿÿ¹\.—l`dXT£^XE”ò¿Q¾×^Ý"`·ó4¨†âMӚ  ¤‹ˆ˜uÖ:,V|dÇKHìæSœT!0~`êú~á„ûʅt0Áè,¶»Ý+`ê!Sÿµz樅X#mø¤a°è†Ö]¶ª8ÿ¨Î(ú ,(DŠÇ…<]ˆdnC܅@ …kðP,^îìSný†öûfãæ8 =@€üáAqÑìŒ8‹ÎN²Èv0Wú> ¼bÄðuy;z¦ûú ­)Zc}Aï½Z Ö¤W¦ð2,f >Ô7ƒ½ûRâXÍ¢­›Ð뛁¸»£üî€u°ë‹ò¦ø æŒÛV¨à{8{<­˜0[Ñea6W6Ͻ±“bÀu_9ž²~T•Í®*Fÿ‹Mښp‡ëoè|+Ú9~#·= 0Žê”‹PFr<kfðž²¡í®½…­|¬Æ ÔTbøõðWW'«)„Y0™>2ðþÔàþ6{Ձ‹ô"ÿ¬e™V ˜Ö}q¾î/ÕXO»‹IP6 ÜäÓ~9X4t (0p•\ÀÕ `R>ªàQKƒYälvB\wÚaôè†÷”TV hõa«´R|UðÜRš­ÃÓPè0mØ|:f÷Î3›ÒØþ ÚÓ'ï-^R\è}d @6sE8.…G=PŠ‚/œ¼AÀ³k¤ýx t3˜O3Ù=3YŒD #Õ`{9œG;ØœÈ_šÏ-ššŠgxaùˆèèZ4øi\‚ I…H<2W8 „4ð¤t¨|˜}PPs$‘†U¬e„P¤a°ã‹DR@ Ҙîr "Uˆ“ ‘˦r(àqÈíìdÊÈ ZvdØsž<w“G<y䒇Œ°´t0 rÃv¤I‡° È%ƒ¤° œËAÒÈP2?[Gñì"ðþŒ+ýë°¡1¬t¥˜!a_è3Zu ØKàpTg|…¹pØpÎğ`¸ˆü²ÃúHn‚tP…¨ óƒy°g4ÿií¡]³¬°æP ÈÌ‹¦˜œL,ŽVdNO§kø†tN3püD 6»™y`‘Tp£ t3̍sxmؼ3{)ÿ†rÿuìö¸:øt =W¦¢Ï]aC|ؙºß‚ÎÖpÂu ¸oûÖjߜ”ÀP¥ÂçQø­ñêªM$æsØ-l¥uO»H$j›Öðâ¹lXuF$(ëriTà¬6V,N.G,0ÐÛðŸ kßt ƒE˜jë¬S¼OÈ̋‘(a\ÇåíÎ×MÔ¬‹(°„|Œz?.Y‹½?~14UžþÔG Üð¤uAFèu<e•].ítÒ ®·§ø EÌu½ë ‹*‰EзB5¤Bu€ðu > nM óþ¡£Ç Pt7ë2ËMÓ. ¬èðœ˜Ì<ò5ÈB6*t÷Õ^0€Ý…X›Ð.ݝ·Ô…lîE`T¼æÒ\¬`°dMÓÞ6~E€ ÌE„˜Œœ A65
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: ï0ü0É0’0eQ›RW0f0O0`0U0D00(&P) P ¥òÿÿP 2M óÿÿ€eQ›RÞ0¹0¯0’0YY0(&M)PFF2ÿÿ€OKP}F2ÿÿ€­0ã0ó0»0ë0ÀȀú¥Õ0¡0¤0ë0n0 NøfM0ºxŠ -ÿ3ÿ 0ÿ´0·0Ã0¯0Px2éÿÿ€o0D0(&Y)PPx2êÿÿ€D0D0H0(&N)P‡x2ëÿÿ€hQf0 NøfM0(&A)P¾x2ìÿÿ€hQf0¹0­0Ã0×0(&S)PiŒPíÿÿ€êÕR„vk0 TMR’0 Yôf(&U)P¾Œ2ÿÿ€-Nbk(&Q)P öÿÿ‚P( ’ÿÿÿÿ‚ã‰ÍQHQn0Õ0©0ë0À0k0o0âek0Õ0¡0¤0ë0L0X[(WW0~0Y00P(#3ÿÿÿÿ‚âeX[n0Õ0¡0¤0ë0’0P(-ÿÿÿ‚ŒPA-´ÿÿ‚%s ôf°eåeBf: %.4hu/%.2hu/%.2hu %.2hu:%.2hu:%.2hu µ0¤0º0: %I64u Ð0¤0È0P(K_ÿÿÿÿ‚S0n0Õ0¡0¤0ë0h0nM0ÛcH0~0Y0K0ÿP(Uÿÿ‚ŒPAU´ÿÿ‚%s ôf°eåeBf: %.4hu/%.2hu/%.2hu %.2hu:%.2hu:%.2hu µ0¤0º0: %I64u Ð0¤0È0ÀȀSFX-Šš[ -ÿ3ÿ 0ÿ´0·0Ã0¯0P ÿÿÿÿ‚¿0¤0È0ë0(&T)€P n ÿÿP (6ÿÿÿÿ‚‹•ËYá0Ã0»0ü0¸0(&B)€P 2n ÿÿP FP ÿÿ€¤0ó0¹0È0ü0é0’0\Ob(&M)P _.ÿÿÿÿ‚Ÿ[Lˆ³0Þ0ó0É0(&R)€P in ÿÿP }+ÿÿÿÿ‚Ç0£0ì0¯0È0ê0(&D)€P ‡nÿÿP ›6ÿÿÿÿ‚Ÿ[LˆÕ0¡0¤0ë0 T(&E)€P ¥nÿÿP ¹Sÿÿÿÿ‚Ÿ[LˆÕ0¡0¤0ë0n0Ñ0é0á0ü0¿0(&X)€P ÃnÿÿP ×G ÿÿ€ã‰ÍQ¶rÁl’0hˆ:y(&P)P ë2ÿÿ€OKPEë2ÿÿ€­0ã0ó0»0ë0(4VS_VERSION_INFO½ïþ  ?ˆStringFileInfod041104b0˜@CommentsCommon Archiver Project's 7-ZIP32.DLL using Igor Pavlov's 7-Zip8FileDescription7-zip328 FileVersion9, 22, 0, 12 InternalNameSevenZipd LegalCopyrightCopyright (C) 2002-2014 by Ëy0u z@ OriginalFilename7-zip32.dll0ProductName7-zip32< ProductVersion9, 22, 0, 1DVarFileInfo$Translation°MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $EŒÃWí­í­í­nò¦í­‚ñ£ í­nò§ í­nò©í­åòí­‚åð í­í¬¥í­7˧ í­7˦Ií­Æë«í­Richí­PEL÷hªSà àp O€`@pxjd`x UPX0p€àUPX1à€Ò@à.rsrc` Ö@À1.25UPX!  JãSü°!ú(ÏÔ& Á²ýÿÿV‹ñNè 13ɍFx‰Nt‰HöÿËÿ Ç@ǒAÆFhˆ‹Æ^ÂÛÝÿ¹41V3ÀÇF`"‰FTXo»-\P,&Ã$Áj6ۓmSZN‰PJ j–e3ß $^ºk ÿ¶Œ],04‰p8‰P(m˶-L @DH<Öý­½T¸Bg${R<ìðxSe/ÿîÿuW‹ù‹Î‰}Г0„À„™MÔ¶ÿîw±ÇEÔXXE´3ÛP‰]ü°öî·ï?)-ÿu"°ÆEü&ÀڋFuÿÝwÿ];ÃŽáV‹]jw…ÀYtƒ`û¿†HØøë3ÿ…ÿmÌt‹WËöÛíÿPY°j¨G‹E Ù»·/‹ ‹K^MIæi¶3M8ðn¡Ùüö…ö‰uèVW”ð·»“Cƒf2f€f öìÂÖgnè£PÞ·o¯}×Þèd\@PÿQ›ÓÐ~÷`œÿE—‹MƒÃÜÝPؾXŒ%ÿ‹*5Ìaû ^÷èÍXwŸýë=Yd…PV €ÿwgÿ?tGPP ¥öØÀþÀˆE Û7› u½Ox‹ö‹Gtñt¼Ýžt• ƒ&¿h?
request_handle: 0x00cc000c
1 1 0
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\guardservice.exe reg_value C:\Users\test22\AppData\Local\Temp\guardservice.exe
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\guardservice.exe.lnk
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
Bkav W32.AIDetectMalware
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Generic.dh
ALYac Gen:Variant.Fragtor.168812
Cylance Unsafe
VIPRE Gen:Variant.Fragtor.168812
Sangfor Trojan.Win32.Save.BlackMoon
BitDefender Gen:Variant.Fragtor.168812
Cybereason malicious.e4073f
Arcabit Trojan.Fragtor.D2936C
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/CoinMiner.CIB
APEX Malicious
ClamAV Win.Dropper.Tiggre-9845940-0
Alibaba Trojan:Win32/CoinMiner.de1659a4
MicroWorld-eScan Gen:Variant.Fragtor.168812
Emsisoft Gen:Variant.Fragtor.168812 (B)
McAfeeD ti!FCE63851C1D0
Trapmine malicious.high.ml.score
FireEye Generic.mg.d0e4beee4073fbe4
Sophos Generic ML PUA (PUA)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan/Genome.bmrr
Google Detected
MAX malware (ai score=80)
Antiy-AVL Trojan/Win32.Blamon.a
Microsoft Trojan:Win32/Wacatac.B!ml
GData Win32.Trojan-Stealer.BlackMoon.D
Varist W32/Tiny.Q.gen!Eldorado
BitDefenderTheta Gen:NN.ZexaF.36810.qq0@aWX2otjb
DeepInstinct MALICIOUS
VBA32 BScope.Trojan.Wacatac
Malwarebytes Generic.Malware.AI.DDS
Ikarus Trojan.Crypt
Tencent Backdoor.Win32.Runshell_l.16001193
MaxSecure Dropper.Dinwod.frindll
Fortinet W32/CoinMiner.ESFJ!tr
CrowdStrike win/malicious_confidence_90% (W)