Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 17, 2024, 10:31 a.m.	Oct. 17, 2024, 11:07 a.m.

Size	2.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`431c75b491aa7535b92c5d9c00e23675`
SHA256	`66efd841fe3f48cba194688551284c8b7b775d8dd7401b813fd879bf7b366e7f`
CRC32	`096E22B5`
ssdeep	`49152:6X4uXjo0Zdx+3M7TF5D2n+H5cOoUao+vib4rMw:e4uTo0Zdxzs9Oobo+q8Mw`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer ASPack_Zero - ASPack packed file DllRegisterServer_Zero - execute regsvr32.exe Antivirus - Contains references to security software anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

ax.exe "C:\Users\test22\AppData\Local\Temp\ax.exe"
1884
- svchost.exe "C:\Users\test22\AppData\Roaming\svchost.exe"
  2052
- QQ.exe "C:\Users\test22\AppData\Roaming\QQ.exe"
  2088

Name	Response	Post-Analysis Lookup
iamasbcx.asuscomm.com

IP Address	Status	Action
106.52.15.123	Active	Moloch
110.40.45.163	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 110.40.45.163:60 -> 192.168.56.103:49164	2048478	ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 17, 2024, 10:31 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

One or more processes crashed (32 events)

Time & API	Arguments	Status
__exception__ Oct. 17, 2024, 10:31 a.m.	stacktrace: qq+0x1220c6 @ 0x5220c6 qq+0x12e906 @ 0x52e906 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: eb 09 f3 62 f0 97 62 dc 23 5a b5 c3 e9 76 ff ff exception.symbol: qq+0x79cfe exception.instruction: jmp 0x479d09 exception.module: QQ.exe exception.exception_code: 0x80000003 exception.offset: 498942 exception.address: 0x479cfe registers.esp: 1638008 registers.edi: 0 registers.eax: 0 registers.ebp: 1638052 registers.edx: 582600 registers.ebx: 5 registers.esi: 7106208 registers.ecx: 7106208	1
__exception__ Oct. 17, 2024, 10:31 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 1636992 registers.edi: 1637256 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 393143851 registers.ebx: 545456128 registers.esi: 1637020 registers.ecx: 4649000	1
__exception__ Oct. 17, 2024, 10:31 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 2704251970 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649028	1
__exception__ Oct. 17, 2024, 10:31 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 2704251970 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649028	1
__exception__ Oct. 17, 2024, 10:31 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 2704251970 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649028	1
__exception__ Oct. 17, 2024, 10:31 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 2704251970 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649028	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648960	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648960	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648960	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648960	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648960	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648982	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648982	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648982	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 393143851 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649000	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 393143851 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649000	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 393143851 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649000	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 393143851 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649000	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 2704251970 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649028	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 2704251970 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649028	1
__exception__ Oct. 17, 2024, 10:32 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 2704251970 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649028	1
__exception__ Oct. 17, 2024, 10:33 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648960	1
__exception__ Oct. 17, 2024, 10:33 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648960	1
__exception__ Oct. 17, 2024, 10:33 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648960	1
__exception__ Oct. 17, 2024, 10:33 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648982	1
__exception__ Oct. 17, 2024, 10:33 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648982	1
__exception__ Oct. 17, 2024, 10:33 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648982	1
__exception__ Oct. 17, 2024, 10:33 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4648982	1
__exception__ Oct. 17, 2024, 10:33 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 393143851 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649000	1
__exception__ Oct. 17, 2024, 10:33 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 393143851 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649000	1
__exception__ Oct. 17, 2024, 10:33 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 393143851 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649000	1
__exception__ Oct. 17, 2024, 10:33 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 33553200 registers.edi: 33553464 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 393143851 registers.ebx: 545456128 registers.esi: 33553228 registers.ecx: 4649000	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 4853 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 region_size: 1576960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ca000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (2 events)

description	svchost.exe tried to sleep 192 seconds, actually delayed analysis time by 192 seconds
description	QQ.exe tried to sleep 159 seconds, actually delayed analysis time by 159 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Oct. 17, 2024, 10:31 a.m.	total_number_of_free_bytes: 9934503936 free_bytes_available: 9934503936 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW Oct. 17, 2024, 10:31 a.m.	total_number_of_free_bytes: 9933484032 free_bytes_available: 9933484032 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (50 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b8db8

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b8db8

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b8db8

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b92a8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b92a8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b92a8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b92a8

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba9b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba9b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba9b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba9b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba9b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba9b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba9b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba9b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba9b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba9b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba9b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba9b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba9b0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ba9b0

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e2578

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e2578

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e37c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e37c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e37c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e37c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e37c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e37c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e37c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e37c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e37c0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e37c0

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4208

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4208

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4208

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4208

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4208

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4208

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4208

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4208

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4208

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4208

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4208

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4254

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4254

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4254

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4304

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4304

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000e4304

size

0x00000014

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\svchost.exe
file	C:\Program Files\Windows NT\system.exe
file	C:\Users\test22\AppData\Roaming\QQ.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Oct. 17, 2024, 10:31 a.m.	service_start_name: start_type: 2 password: display_name: Albmnt wohqpopu filepath: C:\Program Files (x86)\Dhttdfv.exe service_name: Rsjshd fzfgkqcm filepath_r: C:\Program Files (x86)\Dhttdfv.exe desired_access: 983551 service_handle: 0x006d40c0 error_control: 1 service_type: 272 service_manager_handle: 0x006d3eb8	1	7160000	0

Creates a suspicious process (2 events)

cmdline	C:\Users\test22\AppData\Roaming\svchost.exe
cmdline	"C:\Users\test22\AppData\Roaming\svchost.exe"

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Roaming\svchost.exe
file	C:\Users\test22\AppData\Roaming\QQ.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\QQ.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: taskhost.exe process_identifier: 792	1	1
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: cmd.exe process_identifier: 1972	1	1
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: SearchProtocolHost.exe process_identifier: 156	1	1
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: svchost.exe process_identifier: 2052	1	1
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088	1	1
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: mscorsvw.exe process_identifier: 2472	1	1
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: mscorsvw.exe process_identifier: 2516	1	1
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 17, 2024, 10:31 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 45056 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Expresses interest in specific running processes (1 event)

process

qq.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 115 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x00000000000002f8 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000000000000320 process_name: QQ.exe process_identifier: 2088		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0	0
Process32NextW Oct. 17, 2024, 10:31 a.m.	snapshot_handle: 0x0000040c process_name: Dhttdfv.exe process_identifier: 7602292		0	0

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Oct. 17, 2024, 10:31 a.m.	thread_identifier: 2056 thread_handle: 0x000002d4 process_identifier: 2052 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\svchost.exe" filepath_r: C:\Users\test22\AppData\Roaming\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002dc	1	1	0
ShellExecuteExW Oct. 17, 2024, 10:31 a.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Roaming\\svchost.exe parameters: filepath: C:\Users\test22\AppData\Roaming\svchost.exe	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	106.52.15.123
host	110.40.45.163

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (1 event)

service_name

Rsjshd fzfgkqcm

service_path

C:\Program Files (x86)\Dhttdfv.exe

File has been identified by 65 AntiVirus engines on VirusTotal as malicious (50 out of 65 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.lx2b
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Mauvaise.SL1
Skyhigh	BehavesLike.Win32.Generic.vc
ALYac	Trojan.GenericKDZ.96447
Cylance	Unsafe
VIPRE	Trojan.GenericKDZ.96447
Sangfor	Trojan.Win32.SilverFox.swkah
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Trojan.GenericKDZ.96447
K7GW	Trojan ( 00539b2c1 )
K7AntiVirus	Trojan ( 00539b2c1 )
Arcabit	Trojan.Generic.D178BF
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Generic.Threat
ESET-NOD32	a variant of Win32/TrojanDropper.FlyStudio.CH
APEX	Malicious
Avast	Win64:RATX-gen [Trj]
ClamAV	Win.Malware.Barys-10002228-0
Kaspersky	HEUR:Backdoor.Win64.Agent.gen
Alibaba	TrojanDropper:Win32/Farfli.6539cf5d
NANO-Antivirus	Trojan.Win32.Download.ejlmmx
MicroWorld-eScan	Trojan.GenericKDZ.96447
Rising	Backdoor.Farfli!1.DE41 (CLASSIC)
Emsisoft	Trojan.GenericKDZ.96447 (B)
F-Secure	Trojan.TR/AVI.ValleyRAT.lyquj
DrWeb	Trojan.Rootkit.22030
Zillya	Trojan.Generic.Win32.327
TrendMicro	TROJ_GEN.R002C0DIB24
McAfeeD	Real Protect-LS!431C75B491AA
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.generic
Sophos	Troj/AutoG-EB
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.431c75b491aa7535
Jiangmin	Trojan.Generic.cakkw
Webroot	W32.Trojan.Tiggre
Google	Detected
Avira	TR/AVI.ValleyRAT.lyquj
Antiy-AVL	Trojan[Dropper]/Win32.FlyStudio
Kingsoft	Win64.Backdoor.Agent.gen
Gridinsoft	Trojan.Win32.Agent.vb!s1
Xcitium	Worm.Win32.Dropper.RA@1qraug
Microsoft	Trojan:Win32/Farfli!pz
ZoneAlarm	HEUR:Backdoor.Win64.Agent.gen
GData	Win32.Application.PSE.10ODIJ9
Varist	W32/Trojan.CLL.gen!Eldorado
AhnLab-V3	Trojan/Win32.Hupigon.C67371

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	106.52.15.123:80
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49166

ax.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All