Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.05 04:11
VST32License.exe
11.05 03:11
VST32License.exe
11.03 01:11
DocTromTinNhan.exe
11.01 06:11
MPDW-constraints.vbs
11.01 06:11
87f3f2.exe
11.01 06:11
Client-built.exe
11.01 06:11
norm.exe
11.01 06:11
chrome_131.exe
11.01 06:11
kjrhjijawdkrjhh.exe
11.01 09:11
Calibre_Installer.exe

Latest News
11.05 01:11
메가존클라우드-파이오링크, 클라우드 보안...
11.05 01:11
프로페셔널 헤어케어 브랜드 레삐, ‘20...
11.05 01:11
Chinese Group Accused ...
11.05 01:11
25년 정보보호 전자공시시스템 고도화 및...
11.05 01:11
KISA, 민원 응대 보호시스템 전사 확대
11.05 01:11
아늑샵, 2024년 4분기 '한국소비자인...
11.05 01:11
크라운슬립, 프리미엄 구스 이불 론칭 기...
11.05 01:11
Google Warns of Active...
11.05 12:11
안랩, 2024년 3분기 매출 685억,...
11.05 12:11
Southeast Asia’s Digit...

Summary | ZeroBOX

ProduKey.exe

UPX Malicious Library PE64 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2024, 9:27 a.m.	Sept. 30, 2024, 9:56 a.m.

Size	128.7KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`8c1c2a6e66e0769380b878a0f3ab6208`
SHA256	`92392bd287c748f7da0c5ca8aa394f44d6980f0efdd276cf34d7adbd12ddfd6f`
CRC32	`4CFAF56D`
ssdeep	`3072:I5wYR6wga1nr9oH8OCpaCBXq5jK+hs6sTG9e+yO:nEgsFmCCurTYL`
PDB Path	c:\Projects\VS2005\ProduKey\x64\Release\ProduKey.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

ProduKey.exe "C:\Users\test22\AppData\Local\Temp\ProduKey.exe"
2564

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 30, 2024, 9:20 a.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (9 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Registration\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration\{191301D3-A579-428C-B0C7-D7988500F9E3}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration\{6F327760-8C5C-417C-9B61-836A98287E0C}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration\{FDF3ECB9-B56F-43B2-A9B8-1B48B6BAE1A7}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Registration\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration\{90140000-0011-0000-1000-0000000FF1CE}\DigitalProductID

This executable has a PDB path (1 event)

pdb_path

c:\Projects\VS2005\ProduKey\x64\Release\ProduKey.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 30, 2024, 9:20 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 30, 2024, 9:20 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Cylance	Unsafe
CrowdStrike	win/grayware_confidence_100% (W)
Arcabit	Application.Nirsoft
ESET-NOD32	a variant of Win64/PSWTool.ProductKey.A potentially unsafe
Rising	PUA.Presenoker!8.F608 (CLOUD)
TrendMicro	HackTool.Win64.PassView.A
McAfeeD	ti!92392BD287C7
Antiy-AVL	HackTool/Win32.ProductKey
Gridinsoft	PUP.Win64.Presenoker.vb
Xcitium	ApplicUnwnt@#2nlap14tg2gay
Microsoft	HackTool:Win32/ProductKey
GData	Win64.Application.Agent.4WZIH9
DeepInstinct	MALICIOUS
Malwarebytes	HackTool.Agent.Nirsoft
TrendMicro-HouseCall	HackTool.Win64.PassView.A

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 30, 2024, 9:20 a.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741275	0