popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

MsMpEng.exe

Suspicious_Script_Bin Malicious Library UPX PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 28, 2024, 12:24 p.m. Aug. 28, 2024, 12:27 p.m.
Size 700.6KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 bd36e9fc7144e50088bdcb08f842d4ae
SHA256 6c2a3e01a55bea6e2b5f155b42808c1eeba5d769ba580c496a2d79f04701941a
CRC32 B6470C46
ssdeep 12288:i853wf/iU5Urey5O5viNdo3RuDnEFheCY2eAuVLZEqhaH/e5:i+wN40vi7o3AgMC8AuVLZEk
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x741c5000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fe5000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2028
region_size: 21237760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x033f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nswC9E3.tmp\System.dll
file C:\Users\test22\AppData\Local\Temp\nswC9E3.tmp\LangDLL.dll
file C:\Users\test22\AppData\Local\Temp\nswC9E3.tmp\System.dll
file C:\Users\test22\AppData\Local\Temp\nswC9E3.tmp\LangDLL.dll
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Guloader.4!c
Cynet Malicious (score: 99)
Skyhigh Artemis!Trojan
Cylance Unsafe
VIPRE Gen:Variant.Nemesis.35897
Sangfor Trojan.Win32.Injector.Vvo8
BitDefender Gen:Variant.Nemesis.35897
Arcabit Trojan.Nemesis.D8C39
Paloalto generic.ml
Symantec Trojan.Gen.MBT
Elastic malicious (high confidence)
ESET-NOD32 NSIS/Injector.ASH
APEX Malicious
McAfee Artemis!BD36E9FC7144
Avast Win32:Evo-gen [Trj]
Kaspersky HEUR:Trojan.Win32.Guloader.gen
Alibaba Trojan:Win32/Guloader.f7afa80d
MicroWorld-eScan Gen:Variant.Nemesis.35897
Emsisoft Gen:Variant.Nemesis.35897 (B)
F-Secure Trojan.TR/Injector.yesuf
TrendMicro Trojan.Win32.GULOADER.YXEH1Z
McAfeeD ti!6C2A3E01A55B
Trapmine malicious.high.ml.score
FireEye Gen:Variant.Nemesis.35897
Sophos Mal/Generic-S
Google Detected
Avira TR/Injector.yesuf
MAX malware (ai score=88)
Antiy-AVL Trojan[Spy]/Win32.Noon.gen
Microsoft Trojan:Win32/Caynamer.A!ml
ZoneAlarm HEUR:Trojan.Win32.Guloader.gen
GData Gen:Variant.Nemesis.35897
Malwarebytes Trojan.GuLoader
Ikarus Trojan.NSIS.Agent
TrendMicro-HouseCall Trojan.Win32.GULOADER.YXEH1Z
huorong Trojan/Injector.bsl
Fortinet NSIS/Injector.C5R2!tr
AVG Win32:Evo-gen [Trj]
Panda Trj/Chgt.AD