Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 12, 2024, 8:51 a.m.	Aug. 12, 2024, 9:14 a.m.

Size	439.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`95d8ef6aaeae33dae91636b2bde473b8`
SHA256	`05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767`
CRC32	`ADA6AAEA`
ssdeep	`6144:XsaeVjbUSAODc/mDHJKzBJvPKcQQfHAijx7TSig0yw6J:XsamHDDpuBhKX2jlGiyw6`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

Setup.exe "C:\Users\test22\AppData\Local\Temp\Setup.exe"
2556
- Setup.exe "C:\Users\test22\AppData\Local\Temp\Setup.exe"
  2608

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 12, 2024, 8:51 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 5372220 registers.edi: 16 registers.eax: 0 registers.ebp: 4294828032 registers.edx: 4294826996 registers.ebx: 1835008 registers.esi: 5372276 registers.ecx: 1629224960	1	0	0
__exception__ Aug. 12, 2024, 8:51 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xfff9946f registers.esp: 1833528 registers.edi: 0 registers.eax: 1968976824 registers.ebp: 1833536 registers.edx: 4294546543 registers.ebx: 4294828032 registers.esi: 0 registers.ecx: 0	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00024a00', u'virtual_address': u'0x00021000', u'entropy': 7.998913157677574, u'name': u'.pdata', u'virtual_size': u'0x00025000'}

entropy

7.99891315768

description

A section with a high entropy has been found

entropy

0.33409350057

description

Overall entropy of this PE file is high

Yara rule detected in process memory (9 events)

description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 12, 2024, 8:51 a.m.	process_identifier: 2608 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000010c	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL±!càÆo @7@@0¢PpÌ ¡ p.textF}~ `.itexti `.rdata² @@.dataÈ° @À.pdatae`.@À.relocÌp:@B base_address: 0x001c0000 process_identifier: 2608 process_handle: 0x0000010c	1	1
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: ÃUìSVWu}»ÈÁÈ Ð÷ÒÁÀÈ3Â«ÁÀ ÈÐ÷Ò«ÁÀÈ3ÂÐ÷Ò«ÁÀ3Â«wðKÛuÇ_^[]Â@UìSVW¸üýþÿ¹@]Dü-Iuô}¾@3ÛUmÁ3Ò÷öÁTÓ\TTTAùuÖ]3É}¾ UmÁ3Ò÷öÁTÓ\TTTAùuÖ]3É}¾@UmÁ3Ò÷öÁTÓ\TTTAùuÖ]Ã_^[]ÂUìSVW3À]3É3Òu}öt3UmT Ó\TTþÂD0TT TþÁGNöuÒ]_^[]Âfffèûÿÿffè ÏþÿfDèÆÿÿffèßÿÿfjÿÈUBDèdøÿÿèeøÿÿèHøÿÿèIøÿÿèbøÿÿèWøÿÿè@øÿÿèYøÿÿèBøÿÿè=øÿÿè øÿÿèñ÷ÿÿè øÿÿèí÷ÿÿèøÿÿèøÿÿèä÷ÿÿè÷÷ÿÿèæ÷ÿÿèÛ÷ÿÿèâ÷ÿÿè3ãÿÿè@ãÿÿèMãÿÿè*ãÿÿè7ãÿÿè,ãÿÿèEãÿÿè ãÿÿè5ãÿÿè$ãÿÿèãÿÿèãÿÿèãÿÿ base_address: 0x001d9000 process_identifier: 2608 process_handle: 0x0000010c	1	1
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: \¤¤~¤l¤¤F¤4¤"¤ü£î££¦£¸£Ê£Ø£z£>£j£Z£J£ð¢.£££ú¢±!c ô<¡<ì\|.textìZ.text$mni.itext p.idata$5p Ì.rdata<¡ô.rdata$zzzdbg0¢<.idata$2l¢.idata$3¢p.idata$4ð¢Â.idata$6°p.datapOX.bss`.xyzÄ¢£D ¤¢¤$ ¢¤¤ \¤¤~¤l¤¤F¤4¤"¤ü£î££¦£¸£Ê£Ø£z£>£j£Z£J£ð¢.£££ú¢BitBlt(CreateDIBitmap3CreateFontWECreateSolidBrushªGetDeviceCapsÔGetPixelåGetTextColor.SelectObject/SelectPaletteNSetPixelgdi32.dllcCreateDialogParamWnCreateWindowExWDefWindowProcW'GetDlgItemÎIsDlgButtonCheckedïLoadImageW÷LoadMenuWUSER32.dllFreeLibraryÉGetCommandLineAÊGetCommandLineW6GetFileAttributesWQGetLastErrorUGetLocaleInfoWeGetModuleHandleAGetProcAddressKERNEL32.dll base_address: 0x001da000 process_identifier: 2608 process_handle: 0x0000010c	1	1
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: ´Nè¤õY«¿vøÂÕräÃ+HUu¡ìÚüÖ#õÜP9Ysb}N÷HHãÄå)µÊ¨Ò tæYÄ×hNêO°{±£5{EoKØÉxÃ¹çèØÑ@þâ<0 ¬û¿0ÍÇ¼¾ ÆðoÊ®tÃ¬¾ügúäAL \| (bjR Ð¦ãÊÚ»«rfÂ\|¡}°)`qâ_º°Ù"¤<uýÂx+Âfôñ£-ÍpÖ ûõÌc%«ä_vKbéw5â«èë+¨¸\|gb³®P bÛ=2Á+ç&ý,Æçz¹pÂÖÓµ+<ø=å Ñ§0ê í¶=æáC\mÑ¾×z£J¯¶ÞÏïeýTh·¿jg·ÞQùzP).[îpJ öP®túÒý·ÔðÜçcå@»ùxW¶ÐKi~i Ç9@èíÛõBoÖâ¡ Óqþ'Å¶áL(Æ`ª¥@4D7zÕÈ¼Ôí¢Ý{O\º(ñÝÀ^f{ÈªRÎÚL^Ouõ=.Þ°¸ëÛ#¢´òMîL¹t{êîÒrzÊÝÉ5%«R)¹ûû¥ê}D2-fÏ\ íÐµH~õ¶û;ØQÚ_ºfðcÈäC¶Q9nP+Ç¦Æºma$ÁT¯í°]8RVËÍ»¾¤I ]bî±30NfÅûÂ'ÖÔÐûøEf çµHdØ¢@²3Øap¼¾· ¢Ì)É36µJ²6B,ÆÒG×W²µç2îÅ¾¶yíAoMµRð!OøXÔ(G4»rÿ°$ æªíob&Á·j¡3 UÿÞ%Ø¼õì ½AJö6_MdÃ¡Æ}ö¤Õ¼>Fà(ÃÚM}Í6cQ4ë\|Óü!tPÅU7Dú5"?ºÊûE7ºßºÄ¶LxdîùôwæY{bQÁgC0º:FÊ¸ØÓÌ5ÿ/Óf/\|\|ìlªû!&{oxm\|#a©=ð±>³®ïÊ>¡v§ ]«®/£T>==i \p5 QGþ2y.ñ»v©Æ4ÏUjÃ¼¶`0]Eì#î<D!¬&åå×·L¬Å ^g¦ «)QÌº^\Øúè½æ ÖôÝPzrRöO<±r:ð¨ÖèËWµq©ì×DÉ¡`ÞX7$ûùS{ºü ìÎ¼qrùåºÉ]ã$! -ñÍ6Hh ¥W+¶y\|'Çªu' ÀÆ´ÄGsô]ÌË1Nc¬,,ÈýKqóL°õ¯ów]Â"Í@Vÿ~ñÉñ x~¦ÊQ6íL,XqÔêÜéáä9[}ìîKk¶WÖ~»Þö?äÓÍUy]êãTÉÍCtAlÕT]ìsÁ/ñFxU·i\yê Kú\u#cw~?BÑÉª¸4/ýqN0 _ëC ¥Ôó÷wc¬ÈãmåèÓoÙðB¯ÉLðhTµcpb_ÛH¢'8ù®,æX=oÀèç}[0y:Ög,¯¬ÝSëÓTe°¯ù[ºÿODGFe}â+ÕcìÊah-x=×<çÛíVÇ³¥¯?²æÐeÉUÃ}$¨>YVÖtPªcÈºc°}RÄ·Ã¯5Oq?Dáùm@[Ûä6¤DÖ.fÌ`þÁ)Ms>²]¦ÒÆÿÃ~L÷XµèöN$v³QÃx8sÁËÖ%)¿hñJòÚÀãÃ¾¯«[¡3í-ÕÌtyÄ$v¿ÕÃá¹Ë fºðóÝÂÿ¯¨W@>ã(2jÖx~Ó]hwKñ¬/Ì¤Øe}Öñ2IåW«Ê³JaÃ^>Ú$<ëóÌ/^ ÕÿÉÁ´ öPZ/Ê\|zó·$þwNÓWL»£h²ý¾qAþ¨ipgí¾÷âÞ:îq'4I8e¡ãõïöy¢l«ð âÏ¤Aæ%¿+_©bÔ§Ðâ\|TÌHyDL ¬ÏÄZDùM¼¯?Û¸©Ó¢)Êv-Å±ëàsþeÀËOcÁÄ1- õÿY¢µàÑ»@$$St}1Ð CVsÅ3 °Æ\|H/VíÙÙÿoþßÐ¡zkÓßI\[ êÉQfd¼èÁ`è]ðLsÉ rE]pJùÆïx£¿:ðPTÈ§fQç¡O7ú<'ÞrKÍqUýÙÞ6çjÙ«/QVÆJK)¤¯XÎ0iø ?æå(~¯ ¡pó ¨g0ö\|ñ èÃ"ãÒú~:R!î±SßB d§ì¶¯Ò YüèÌæ')P¤}©"¤¯ÇCö³'J´7É È½¶ç<úè ¯ó-õ¢#_5xÛî¹°_Ûå0R¦`Zª}Æ0ëËúUe+º¸80Gæ)~Å×-Î¿·Ì®}«Ô<Q?q20I'{!DÓ$ZY¤Ý¹ x0t®Cð.§^:»®qq1jAKécs8Çâô9ôg1¿ ÝÐÜÏlø7êr½üZ(ÒRq¼TÂDeÌàÃoy"ÔtÌ#$øbfW¨¸H1/«Û?èï>íi¾][SÑ]\|Û%SÇ ßÛdf;ÿò;µýP9@)^,ñµóGøéÍ¡Y`æAÀ¾áÐ_V p3õN'Ïæ7âuµ¦>$ÛÛ6mÖ¯^n(½_/Ð¸Û= 6zU[ÀÈBÊÎ÷HÊAJuJO°X º¸ENÒ9Ù÷ò¯îÉÓ×G9]P(m9 ÙX?w(§ñÞ°Å#_&ìÛWÙ^¯fEH \¨ûR<kSmà_æÒµÝ®yl 0ºnËÏÉ8â×ZyYuþW\|í Íh¼zC> ¥ AÒù müR58¯ÄÝ!/¬xãk§×øl©;]õ]Ö}mzî¡íÛèét{OªãÐöµ÷)Qö$éÂäÀZÀ l_G>âøpL!¾gg:¹T{ Ë°°J\|î]&ÇA^Tuéóçòû¾²¦p¹Ázqt©µÃ!®}é5æ¨Ì}fÄLGëGXgDósSðlåÞTpÝ,£p=¼Ð÷N~'#\]æ=¤Xì_¨¬K©\pÏ¡%~.²ÅU3øaûÖàI9A¶ÑØÊò?Ñ7eEÃì6£Ý÷¥XÀ½+¢Ö0ÈPQ&äÛ(èìm2/V îÁaW3GåxY¼\|ýüÍñ£ K¼* ok;:Ã]úSÚ âôZai?¹¾»Fê8el »ºaZ<lÙÚa_rÃÓQÌ=6 Q5õW7z°åhÜIºEo48ÔÇáXH¢y ' 5¡:k¯</?±oG5³>Dz¹ULaáh²&æÙGKµ^Ñâ ·ôi.~tÏ~[-mâbÎÎ2Ø©î$÷×Ht¦áO¸²3ýòo»z%FETÓ$¨<û£?G6ü5Çd/!03Î?.^opé!Ä<)Þ0À base_address: 0x001e6000 process_identifier: 2608 process_handle: 0x0000010c	1	1
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: base_address: 0xfffde008 process_identifier: 2608 process_handle: 0x0000010c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL±!càÆo @7@@0¢PpÌ ¡ p.textF}~ `.itexti `.rdata² @@.dataÈ° @À.pdatae`.@À.relocÌp:@B base_address: 0x001c0000 process_identifier: 2608 process_handle: 0x0000010c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 called NtSetContextThread to modify thread in remote process 2608
NtSetContextThread Aug. 12, 2024, 8:51 a.m.	registers.eip: 1995571652 registers.esp: 1833628 registers.edi: 0 registers.eax: 1938543 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000108 process_identifier: 2608	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2608
NtResumeThread Aug. 12, 2024, 8:51 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2608	1	0	0

Executed a process and injected code into it, probably while unpacking (14 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 12, 2024, 8:51 a.m.	thread_identifier: 2612 thread_handle: 0x00000108 process_identifier: 2608 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\Setup.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\Setup.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000010c	1	1
NtGetContextThread Aug. 12, 2024, 8:51 a.m.	thread_handle: 0x00000108	1	0
NtAllocateVirtualMemory Aug. 12, 2024, 8:51 a.m.	process_identifier: 2608 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000010c	1	0
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL±!càÆo @7@@0¢PpÌ ¡ p.textF}~ `.itexti `.rdata² @@.dataÈ° @À.pdatae`.@À.relocÌp:@B base_address: 0x001c0000 process_identifier: 2608 process_handle: 0x0000010c	1	1
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: base_address: 0x001c1000 process_identifier: 2608 process_handle: 0x0000010c	1	1
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: ÃUìSVWu}»ÈÁÈ Ð÷ÒÁÀÈ3Â«ÁÀ ÈÐ÷Ò«ÁÀÈ3ÂÐ÷Ò«ÁÀ3Â«wðKÛuÇ_^[]Â@UìSVW¸üýþÿ¹@]Dü-Iuô}¾@3ÛUmÁ3Ò÷öÁTÓ\TTTAùuÖ]3É}¾ UmÁ3Ò÷öÁTÓ\TTTAùuÖ]3É}¾@UmÁ3Ò÷öÁTÓ\TTTAùuÖ]Ã_^[]ÂUìSVW3À]3É3Òu}öt3UmT Ó\TTþÂD0TT TþÁGNöuÒ]_^[]Âfffèûÿÿffè ÏþÿfDèÆÿÿffèßÿÿfjÿÈUBDèdøÿÿèeøÿÿèHøÿÿèIøÿÿèbøÿÿèWøÿÿè@øÿÿèYøÿÿèBøÿÿè=øÿÿè øÿÿèñ÷ÿÿè øÿÿèí÷ÿÿèøÿÿèøÿÿèä÷ÿÿè÷÷ÿÿèæ÷ÿÿèÛ÷ÿÿèâ÷ÿÿè3ãÿÿè@ãÿÿèMãÿÿè*ãÿÿè7ãÿÿè,ãÿÿèEãÿÿè ãÿÿè5ãÿÿè$ãÿÿèãÿÿèãÿÿèãÿÿ base_address: 0x001d9000 process_identifier: 2608 process_handle: 0x0000010c	1	1
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: \¤¤~¤l¤¤F¤4¤"¤ü£î££¦£¸£Ê£Ø£z£>£j£Z£J£ð¢.£££ú¢±!c ô<¡<ì\|.textìZ.text$mni.itext p.idata$5p Ì.rdata<¡ô.rdata$zzzdbg0¢<.idata$2l¢.idata$3¢p.idata$4ð¢Â.idata$6°p.datapOX.bss`.xyzÄ¢£D ¤¢¤$ ¢¤¤ \¤¤~¤l¤¤F¤4¤"¤ü£î££¦£¸£Ê£Ø£z£>£j£Z£J£ð¢.£££ú¢BitBlt(CreateDIBitmap3CreateFontWECreateSolidBrushªGetDeviceCapsÔGetPixelåGetTextColor.SelectObject/SelectPaletteNSetPixelgdi32.dllcCreateDialogParamWnCreateWindowExWDefWindowProcW'GetDlgItemÎIsDlgButtonCheckedïLoadImageW÷LoadMenuWUSER32.dllFreeLibraryÉGetCommandLineAÊGetCommandLineW6GetFileAttributesWQGetLastErrorUGetLocaleInfoWeGetModuleHandleAGetProcAddressKERNEL32.dll base_address: 0x001da000 process_identifier: 2608 process_handle: 0x0000010c	1	1
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: base_address: 0x001db000 process_identifier: 2608 process_handle: 0x0000010c	1	1
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: ´Nè¤õY«¿vøÂÕräÃ+HUu¡ìÚüÖ#õÜP9Ysb}N÷HHãÄå)µÊ¨Ò tæYÄ×hNêO°{±£5{EoKØÉxÃ¹çèØÑ@þâ<0 ¬û¿0ÍÇ¼¾ ÆðoÊ®tÃ¬¾ügúäAL \| (bjR Ð¦ãÊÚ»«rfÂ\|¡}°)`qâ_º°Ù"¤<uýÂx+Âfôñ£-ÍpÖ ûõÌc%«ä_vKbéw5â«èë+¨¸\|gb³®P bÛ=2Á+ç&ý,Æçz¹pÂÖÓµ+<ø=å Ñ§0ê í¶=æáC\mÑ¾×z£J¯¶ÞÏïeýTh·¿jg·ÞQùzP).[îpJ öP®túÒý·ÔðÜçcå@»ùxW¶ÐKi~i Ç9@èíÛõBoÖâ¡ Óqþ'Å¶áL(Æ`ª¥@4D7zÕÈ¼Ôí¢Ý{O\º(ñÝÀ^f{ÈªRÎÚL^Ouõ=.Þ°¸ëÛ#¢´òMîL¹t{êîÒrzÊÝÉ5%«R)¹ûû¥ê}D2-fÏ\ íÐµH~õ¶û;ØQÚ_ºfðcÈäC¶Q9nP+Ç¦Æºma$ÁT¯í°]8RVËÍ»¾¤I ]bî±30NfÅûÂ'ÖÔÐûøEf çµHdØ¢@²3Øap¼¾· ¢Ì)É36µJ²6B,ÆÒG×W²µç2îÅ¾¶yíAoMµRð!OøXÔ(G4»rÿ°$ æªíob&Á·j¡3 UÿÞ%Ø¼õì ½AJö6_MdÃ¡Æ}ö¤Õ¼>Fà(ÃÚM}Í6cQ4ë\|Óü!tPÅU7Dú5"?ºÊûE7ºßºÄ¶LxdîùôwæY{bQÁgC0º:FÊ¸ØÓÌ5ÿ/Óf/\|\|ìlªû!&{oxm\|#a©=ð±>³®ïÊ>¡v§ ]«®/£T>==i \p5 QGþ2y.ñ»v©Æ4ÏUjÃ¼¶`0]Eì#î<D!¬&åå×·L¬Å ^g¦ «)QÌº^\Øúè½æ ÖôÝPzrRöO<±r:ð¨ÖèËWµq©ì×DÉ¡`ÞX7$ûùS{ºü ìÎ¼qrùåºÉ]ã$! -ñÍ6Hh ¥W+¶y\|'Çªu' ÀÆ´ÄGsô]ÌË1Nc¬,,ÈýKqóL°õ¯ów]Â"Í@Vÿ~ñÉñ x~¦ÊQ6íL,XqÔêÜéáä9[}ìîKk¶WÖ~»Þö?äÓÍUy]êãTÉÍCtAlÕT]ìsÁ/ñFxU·i\yê Kú\u#cw~?BÑÉª¸4/ýqN0 _ëC ¥Ôó÷wc¬ÈãmåèÓoÙðB¯ÉLðhTµcpb_ÛH¢'8ù®,æX=oÀèç}[0y:Ög,¯¬ÝSëÓTe°¯ù[ºÿODGFe}â+ÕcìÊah-x=×<çÛíVÇ³¥¯?²æÐeÉUÃ}$¨>YVÖtPªcÈºc°}RÄ·Ã¯5Oq?Dáùm@[Ûä6¤DÖ.fÌ`þÁ)Ms>²]¦ÒÆÿÃ~L÷XµèöN$v³QÃx8sÁËÖ%)¿hñJòÚÀãÃ¾¯«[¡3í-ÕÌtyÄ$v¿ÕÃá¹Ë fºðóÝÂÿ¯¨W@>ã(2jÖx~Ó]hwKñ¬/Ì¤Øe}Öñ2IåW«Ê³JaÃ^>Ú$<ëóÌ/^ ÕÿÉÁ´ öPZ/Ê\|zó·$þwNÓWL»£h²ý¾qAþ¨ipgí¾÷âÞ:îq'4I8e¡ãõïöy¢l«ð âÏ¤Aæ%¿+_©bÔ§Ðâ\|TÌHyDL ¬ÏÄZDùM¼¯?Û¸©Ó¢)Êv-Å±ëàsþeÀËOcÁÄ1- õÿY¢µàÑ»@$$St}1Ð CVsÅ3 °Æ\|H/VíÙÙÿoþßÐ¡zkÓßI\[ êÉQfd¼èÁ`è]ðLsÉ rE]pJùÆïx£¿:ðPTÈ§fQç¡O7ú<'ÞrKÍqUýÙÞ6çjÙ«/QVÆJK)¤¯XÎ0iø ?æå(~¯ ¡pó ¨g0ö\|ñ èÃ"ãÒú~:R!î±SßB d§ì¶¯Ò YüèÌæ')P¤}©"¤¯ÇCö³'J´7É È½¶ç<úè ¯ó-õ¢#_5xÛî¹°_Ûå0R¦`Zª}Æ0ëËúUe+º¸80Gæ)~Å×-Î¿·Ì®}«Ô<Q?q20I'{!DÓ$ZY¤Ý¹ x0t®Cð.§^:»®qq1jAKécs8Çâô9ôg1¿ ÝÐÜÏlø7êr½üZ(ÒRq¼TÂDeÌàÃoy"ÔtÌ#$øbfW¨¸H1/«Û?èï>íi¾][SÑ]\|Û%SÇ ßÛdf;ÿò;µýP9@)^,ñµóGøéÍ¡Y`æAÀ¾áÐ_V p3õN'Ïæ7âuµ¦>$ÛÛ6mÖ¯^n(½_/Ð¸Û= 6zU[ÀÈBÊÎ÷HÊAJuJO°X º¸ENÒ9Ù÷ò¯îÉÓ×G9]P(m9 ÙX?w(§ñÞ°Å#_&ìÛWÙ^¯fEH \¨ûR<kSmà_æÒµÝ®yl 0ºnËÏÉ8â×ZyYuþW\|í Íh¼zC> ¥ AÒù müR58¯ÄÝ!/¬xãk§×øl©;]õ]Ö}mzî¡íÛèét{OªãÐöµ÷)Qö$éÂäÀZÀ l_G>âøpL!¾gg:¹T{ Ë°°J\|î]&ÇA^Tuéóçòû¾²¦p¹Ázqt©µÃ!®}é5æ¨Ì}fÄLGëGXgDósSðlåÞTpÝ,£p=¼Ð÷N~'#\]æ=¤Xì_¨¬K©\pÏ¡%~.²ÅU3øaûÖàI9A¶ÑØÊò?Ñ7eEÃì6£Ý÷¥XÀ½+¢Ö0ÈPQ&äÛ(èìm2/V îÁaW3GåxY¼\|ýüÍñ£ K¼* ok;:Ã]úSÚ âôZai?¹¾»Fê8el »ºaZ<lÙÚa_rÃÓQÌ=6 Q5õW7z°åhÜIºEo48ÔÇáXH¢y ' 5¡:k¯</?±oG5³>Dz¹ULaáh²&æÙGKµ^Ñâ ·ôi.~tÏ~[-mâbÎÎ2Ø©î$÷×Ht¦áO¸²3ýòo»z%FETÓ$¨<û£?G6ü5Çd/!03Î?.^opé!Ä<)Þ0À base_address: 0x001e6000 process_identifier: 2608 process_handle: 0x0000010c	1	1
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: base_address: 0x001e7000 process_identifier: 2608 process_handle: 0x0000010c	1	1
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: base_address: 0xfffde008 process_identifier: 2608 process_handle: 0x0000010c	1	1
NtSetContextThread Aug. 12, 2024, 8:51 a.m.	registers.eip: 1995571652 registers.esp: 1833628 registers.edi: 0 registers.eax: 1938543 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000108 process_identifier: 2608	1	0
NtResumeThread Aug. 12, 2024, 8:51 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2608	1	0
WriteProcessMemory Aug. 12, 2024, 8:51 a.m.	buffer: base_address: 0x001c0000 process_identifier: 0 process_handle: 0x0000010c		0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Lockbit.1q!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Generic
Skyhigh	BehavesLike.Win32.Generic.gh
ALYac	Gen:Variant.Razy.458328
Cylance	Unsafe
VIPRE	Gen:Variant.Razy.458328
Sangfor	Ransom.Win32.Lockbit.Vwda
K7AntiVirus	Trojan ( 005b92891 )
BitDefender	Gen:Variant.Razy.458328
K7GW	Trojan ( 005b92891 )
Cybereason	malicious.aaeae3
Arcabit	Trojan.Razy.D6FE58
Symantec	Ransom.Blackmatter!gm1
ESET-NOD32	a variant of Win32/Kryptik_AGen.DNQ
APEX	Malicious
McAfee	Artemis!95D8EF6AAEAE
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Ransom:Win32/Lockbit.beca14c5
MicroWorld-eScan	Gen:Variant.Razy.458328
Rising	Trojan.Kryptik@AI.90 (RDML:Yjj4FgJW1YhDtI3uWnkt0w)
Emsisoft	Gen:Variant.Razy.458328 (B)
F-Secure	Trojan.TR/AVI.Lockbit.canmb
TrendMicro	Ransom_Lockbit.R002C0DHA24
McAfeeD	ti!05F9891BB4CA
FireEye	Generic.mg.95d8ef6aaeae33da
Sophos	Mal/Inject-CEE
Ikarus	Trojan.Win32.Agent
Google	Detected
Avira	TR/AVI.Lockbit.canmb
MAX	malware (ai score=84)
Antiy-AVL	Trojan[Ransom]/Win32.LockBit
Kingsoft	Win32.Trojan.Generic.a
Gridinsoft	Trojan.Win32.Kryptik.sa
Microsoft	Ransom:Win32/Lockbit.HA!MTB
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Razy.458328
Varist	W32/ABRisk.NKFI-2106
AhnLab-V3	Trojan/Win.Injection.C5657684
BitDefenderTheta	Gen:NN.ZexaF.36810.ByW@a4R@!qf
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Inject
Malwarebytes	Malware.AI.3737376821
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	Ransom_Lockbit.R002C0DHA24
Tencent	Win32.Trojan.Generic.Pzfl
huorong	HVM:Trojan/Injector.gen!A

Setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All