Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 23, 2024, 9:47 a.m.	Aug. 23, 2024, 9:51 a.m.

Size	8.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`679c3af5f25af03f0703263673e1bb15`
SHA256	`bba61ab41bd0849e06196b8fdeb58128ce8bada11ea3543a236f3fffcd16a069`
CRC32	`8F083768`
ssdeep	`196608:yNtzYNTe09Axlh/+7e6CvlLb4QZDfNUjF82/mI67Ad/w9:y/zYNTX9AJ/+TCvRbtxNUXuz7Mk`
Yara	themida_packer - themida packer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

Update.exe "C:\Users\test22\AppData\Local\Temp\Update.exe"
300
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\s8c.0.bat" "
  2112
  - timeout.exe timeout 3
    2172
  - PSZC.exe "C:\ProgramData\GoogleUpdater\PSZC.exe"
    2276
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "PSZC" /tr C:\ProgramData\GoogleUpdater\PSZC.exe /f
      2356

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 23, 2024, 9:47 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 23, 2024, 9:47 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 23, 2024, 9:47 a.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\s8c.2 console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 23, 2024, 9:47 a.m.	buffer: SUCCESS: The scheduled task "PSZC" has successfully been created. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 23, 2024, 9:47 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section
section	.imports
section	.vmp\xc2\xbc_\xc2
section	.themida
section	.boot
section	.vmp\xc3\x9c4~

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

REGISTRY

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ Aug. 23, 2024, 9:47 a.m.	stacktrace: update+0x3295be @ 0xf595be update+0x3645b2 @ 0xf945b2 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 3996616 registers.edi: 13053952 registers.eax: 3996616 registers.ebp: 3996696 registers.edx: 2130566132 registers.ebx: 13376588 registers.esi: 2006021163 registers.ecx: 1344798720	1
__exception__ Aug. 23, 2024, 9:47 a.m.	stacktrace: exception.instruction_r: ed e9 65 77 ff ff ae ee 4e c0 61 e9 59 00 00 00 exception.symbol: update+0x3b1ac8 exception.instruction: in eax, dx exception.module: Update.exe exception.exception_code: 0xc0000096 exception.offset: 3873480 exception.address: 0xfe1ac8 registers.esp: 3996736 registers.edi: 1846904 registers.eax: 1750617430 registers.ebp: 13053952 registers.edx: 2130532438 registers.ebx: 2147483650 registers.esi: 14084014 registers.ecx: 20	1
__exception__ Aug. 23, 2024, 9:47 a.m.	stacktrace: exception.instruction_r: ed e9 76 4c 0e 00 c3 e9 21 65 0e 00 e2 c8 07 cd exception.symbol: update+0x2c5066 exception.instruction: in eax, dx exception.module: Update.exe exception.exception_code: 0xc0000096 exception.offset: 2904166 exception.address: 0xef5066 registers.esp: 3996736 registers.edi: 1846904 registers.eax: 1447909480 registers.ebp: 13053952 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 14084014 registers.ecx: 10	1
__exception__ Aug. 23, 2024, 9:47 a.m.	stacktrace: pszc+0x3295be @ 0xd495be pszc+0x3645b2 @ 0xd845b2 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 4652240 registers.edi: 10891264 registers.eax: 4652240 registers.ebp: 4652320 registers.edx: 2130566132 registers.ebx: 11213900 registers.esi: 2006021163 registers.ecx: 1236729856	1
__exception__ Aug. 23, 2024, 9:47 a.m.	stacktrace: exception.instruction_r: ed e9 65 77 ff ff ae ee 4e c0 61 e9 59 00 00 00 exception.symbol: pszc+0x3b1ac8 exception.instruction: in eax, dx exception.module: PSZC.exe exception.exception_code: 0xc0000096 exception.offset: 3873480 exception.address: 0xdd1ac8 registers.esp: 4652360 registers.edi: 5648136 registers.eax: 1750617430 registers.ebp: 10891264 registers.edx: 2130532438 registers.ebx: 2147483650 registers.esi: 11921326 registers.ecx: 20	1
__exception__ Aug. 23, 2024, 9:47 a.m.	stacktrace: exception.instruction_r: ed e9 76 4c 0e 00 c3 e9 21 65 0e 00 e2 c8 07 cd exception.symbol: pszc+0x2c5066 exception.instruction: in eax, dx exception.module: PSZC.exe exception.exception_code: 0xc0000096 exception.offset: 2904166 exception.address: 0xce5066 registers.esp: 4652360 registers.edi: 5648136 registers.eax: 1447909480 registers.ebp: 10891264 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 11921326 registers.ecx: 10	1

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c6a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c5a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c5a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 69632 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c5a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 2276 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a5a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a4a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a4a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 69632 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a4a000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

PSZC.exe tried to sleep 212 seconds, actually delayed analysis time by 212 seconds

Creates executable files on the filesystem (2 events)

file	C:\ProgramData\GoogleUpdater\PSZC.exe
file	C:\Users\test22\AppData\Local\Temp\s8c.0.bat

Creates a suspicious process (2 events)

cmdline	schtasks.exe /create /sc MINUTE /mo 1 /RL HIGHEST /tn "PSZC" /tr C:\ProgramData\GoogleUpdater\PSZC.exe /f
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "PSZC" /tr C:\ProgramData\GoogleUpdater\PSZC.exe /f

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\s8c.0.bat
file	C:\ProgramData\GoogleUpdater\PSZC.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 23, 2024, 9:47 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\s8c.0.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\s8c.0.bat	1	1	0
ShellExecuteExW Aug. 23, 2024, 9:47 a.m.	show_type: 0 filepath_r: schtasks.exe parameters: /create /sc MINUTE /mo 1 /RL HIGHEST /tn "PSZC" /tr C:\ProgramData\GoogleUpdater\PSZC.exe /f filepath: schtasks.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 23, 2024, 9:47 a.m.	process_identifier: 2276 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00230000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00820e00', u'virtual_address': u'0x00c13000', u'entropy': 7.994277184216745, u'name': u'.vmp\\xc3\\x9c4~', u'virtual_size': u'0x00820c10'}

entropy

7.99427718422

description

A section with a high entropy has been found

entropy

0.998680184774

description

Overall entropy of this PE file is high

Yara rule detected in process memory (32 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks.exe /create /sc MINUTE /mo 1 /RL HIGHEST /tn "PSZC" /tr C:\ProgramData\GoogleUpdater\PSZC.exe /f
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "PSZC" /tr C:\ProgramData\GoogleUpdater\PSZC.exe /f

The executable is likely packed with VMProtect (6 events)

section	.vmp\xc2\xbc_\xc2	description	Section name indicates VMProtect
section	.vmp\xc2\xbc_\xc2	description	Section name indicates VMProtect
section	.vmp\xc2\xbc_\xc2	description	Section name indicates VMProtect
section	.vmp\xc3\x9c4~	description	Section name indicates VMProtect
section	.vmp\xc3\x9c4~	description	Section name indicates VMProtect
section	.vmp\xc3\x9c4~	description	Section name indicates VMProtect

Checks for the presence of known windows from debuggers and forensic tools (50 out of 162 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 23, 2024, 9:47 a.m.	class_name: Regmonclass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (2 events)

cmdline	schtasks.exe /create /sc MINUTE /mo 1 /RL HIGHEST /tn "PSZC" /tr C:\ProgramData\GoogleUpdater\PSZC.exe /f
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "PSZC" /tr C:\ProgramData\GoogleUpdater\PSZC.exe /f

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2112 resumed a thread in remote process 2276
NtResumeThread Aug. 23, 2024, 9:47 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2276	1	0	0

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 23, 2024, 9:47 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 23, 2024, 9:47 a.m.	stacktrace: exception.instruction_r: ed e9 76 4c 0e 00 c3 e9 21 65 0e 00 e2 c8 07 cd exception.symbol: update+0x2c5066 exception.instruction: in eax, dx exception.module: Update.exe exception.exception_code: 0xc0000096 exception.offset: 2904166 exception.address: 0xef5066 registers.esp: 3996736 registers.edi: 1846904 registers.eax: 1447909480 registers.ebp: 13053952 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 14084014 registers.ecx: 10	1	0	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.GenCBL.7!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.ClipBanker
Skyhigh	BehavesLike.Win32.Obfuscated.rc
ALYac	Gen:Variant.Fragtor.517674
Cylance	Unsafe
VIPRE	Gen:Variant.Fragtor.517674
Sangfor	Trojan.Win32.Gencbl.Vby8
K7AntiVirus	Trojan ( 005afd481 )
BitDefender	Trojan.GenericKD.73885784
K7GW	Trojan ( 005afd481 )
Cybereason	malicious.5f25af
Arcabit	Trojan.Generic.D4676858
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/GenCBL.EFG
APEX	Malicious
McAfee	Artemis!679C3AF5F25A
Avast	Win32:Evo-gen [Trj]
Kaspersky	Trojan-Banker.Win32.ClipBanker.abbe
Alibaba	Trojan:Win32/GenCBL.699cc4a5
NANO-Antivirus	Trojan.Win32.Nekark.kprhfw
MicroWorld-eScan	Trojan.GenericKD.73885784
Rising	Trojan.Generic!8.C3 (CLOUD)
Emsisoft	Trojan.GenericKD.73885784 (B)
F-Secure	Trojan.TR/AD.Nekark.wmtwr
DrWeb	Trojan.MulDrop26.34023
Zillya	Trojan.GenCBL.Win32.17285
McAfeeD	ti!BBA61AB41BD0
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.679c3af5f25af03f
Sophos	Mal/Generic-S
Google	Detected
Avira	TR/AD.Nekark.wmtwr
MAX	malware (ai score=81)
Antiy-AVL	Trojan[Packed]/Win32.VMProtect
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win32.RisePro.mz!c
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan-Banker.Win32.ClipBanker.abbe
GData	Trojan.GenericKD.73885784
BitDefenderTheta	Gen:NN.ZexaF.36812.@@1@ayxJigci
Malwarebytes	Malware.AI.4288221224
Ikarus	Trojan.Win32.Generic
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0CH724
Tencent	Malware.Win32.Gencirc.14049af4
MaxSecure	Trojan.Malware.236589590.susgen
Fortinet	PossibleThreat.PALLAS.M

Update.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All