Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 20, 2024, 9:18 a.m.	Oct. 20, 2024, 9:29 a.m.

Size	940.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b36366f4a27987d6de47887b03f29c68`
SHA256	`4cc1ab70e6fd0d4441c778d40212c6e3114e14d56da85717214f8498e1c1501b`
CRC32	`374DFC5E`
ssdeep	`24576:q4bDOphvGTO5+L0Un5cOoaPaoWXqEinqg4dNMBlqD9:HD2n+H5cOoUao+vib4rMu`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

QQ.exe "C:\Users\test22\AppData\Local\Temp\QQ.exe"
1156

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
106.52.15.123	Active	Moloch
110.40.45.163	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sedata

One or more processes crashed (32 events)

Time & API	Arguments	Status
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: qq+0x1220c6 @ 0x5220c6 qq+0x12e906 @ 0x52e906 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: eb 09 f3 62 f0 97 62 dc 23 5a b5 c3 e9 76 ff ff exception.symbol: qq+0x79cfe exception.instruction: jmp 0x479d09 exception.module: QQ.exe exception.exception_code: 0x80000003 exception.offset: 498942 exception.address: 0x479cfe registers.esp: 1638008 registers.edi: 0 registers.eax: 0 registers.ebp: 1638052 registers.edx: 582600 registers.ebx: 5 registers.esi: 7237312 registers.ecx: 7237312	1
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 1636992 registers.edi: 1637256 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 393143851 registers.ebx: 545456128 registers.esi: 1637020 registers.ecx: 4649000	1
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:18 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 750568434 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648960	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648982	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648982	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648982	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648982	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648982	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648982	1
__exception__ Oct. 20, 2024, 9:19 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648982	1
__exception__ Oct. 20, 2024, 9:20 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648982	1
__exception__ Oct. 20, 2024, 9:20 a.m.	stacktrace: exception.instruction_r: 8b dc 8b 1c 24 89 17 eb bd 8d 64 24 02 e9 2c 66 exception.symbol: qq+0xaf23c exception.instruction: mov ebx, esp exception.module: QQ.exe exception.exception_code: 0x80000004 exception.offset: 717372 exception.address: 0x4af23c registers.esp: 39385904 registers.edi: 39386168 registers.eax: 3277514786 registers.ebp: 4920381 registers.edx: 3354633803 registers.ebx: 545456128 registers.esi: 39385932 registers.ecx: 4648982	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 4853 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ee0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 region_size: 1576960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ca000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (13 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00147858

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00147858

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00147858

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00147858

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00147858

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00147858

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00147858

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00147858

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00147858

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00147858

size

0x00000468

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00147d78

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00147d78

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00147d78

size

0x00000014

Creates executable files on the filesystem (1 event)

file	C:\Program Files\Windows NT\system.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Oct. 20, 2024, 9:18 a.m.	service_start_name: start_type: 2 password: display_name: Albmnt wohqpopu filepath: C:\Program Files (x86)\Dhttdfv.exe service_name: Rsjshd fzfgkqcm filepath_r: C:\Program Files (x86)\Dhttdfv.exe desired_access: 983551 service_handle: 0x0070e860 error_control: 1 service_type: 272 service_manager_handle: 0x0070e8b0	1	7399520	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 20, 2024, 9:18 a.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 45056 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x00010000', u'virtual_address': u'0x00001000', u'entropy': 7.927037404813819, u'name': u'.text', u'virtual_size': u'0x0006e000'}

entropy

7.92703740481

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000c1000', u'virtual_address': u'0x0006f000', u'entropy': 7.819402663359728, u'name': u'.sedata', u'virtual_size': u'0x000c1000'}

entropy

7.81940266336

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001000', u'virtual_address': u'0x00148000', u'entropy': 7.981450049825864, u'name': u'.sedata', u'virtual_size': u'0x00001000'}

entropy

7.98145004983

description

A section with a high entropy has been found

entropy

0.897435897436

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (2 events)

host	106.52.15.123
host	110.40.45.163

Installs itself for autorun at Windows startup (1 event)

service_name

Rsjshd fzfgkqcm

service_path

C:\Program Files (x86)\Dhttdfv.exe

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.lIx9
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.dc
ALYac	Trojan.GenericKD.74107475
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74107475
Sangfor	Trojan.Win32.Noobyprotect.Vrg7
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Trojan.GenericKD.74107475
K7GW	Trojan ( 00481e081 )
K7AntiVirus	Trojan ( 005239691 )
Arcabit	Trojan.Generic.D46ACA53
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.NoobyProtect.M suspicious
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Packed:Win32/NoobyProtect.31f427f0
MicroWorld-eScan	Trojan.GenericKD.74107475
Rising	Trojan.Kryptik@AI.83 (RDML:+YhEykvzG+XHISG/rAh6kg)
Emsisoft	Trojan.GenericKD.74107475 (B)
F-Secure	Heuristic.HEUR/AGEN.1348656
McAfeeD	Real Protect-LS!B36366F4A279
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.noobyprotect
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.b36366f4a27987d6
Google	Detected
Avira	HEUR/AGEN.1348656
Antiy-AVL	GrayWare/Win32.SafeGuard.a
Kingsoft	malware.kb.a.1000
Gridinsoft	Trojan.Heur!.030100A1
Xcitium	MalCrypt.Indus!@1qrzi1
Microsoft	Backdoor:Win32/Zegost.DU
ViRobot	Trojan.Win.Z.Noobyprotect.962560
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Win32.Packed.NoobyProtect.B
Varist	W32/Trojan.DZQ.gen!Eldorado
AhnLab-V3	Trojan/Win32.Agent.R102129
McAfee	GenericRXAA-FA!B36366F4A279
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	PUA.NoobyProtect
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002H07IB24
Tencent	Malware.Win32.Gencirc.1419b90b
Yandex	Trojan.GenAsa!V9qRHIEA934

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	110.40.45.163:70
dead_host	106.52.15.123:80

QQ.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All