Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 11, 2024, 9:55 a.m.	Nov. 11, 2024, 9:59 a.m.

Size	871.5KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6ad958806d2e545420aac7cc1fcb8506`
SHA256	`90a2f86a2a1d335779fd882588ff63deaf033f08b47b1a9d0716d5e34d3a8669`
CRC32	`0488A1CE`
ssdeep	`12288:y5xAv3xu+7LVWR9vJOXVtPdOpjAiTIaAzdI5xAv3xu+7LVWR:M+3xuyWQCjAlw+3xuyW`
PDB Path	C:\Users\smoke\Desktop\ProjectP-C\ProjectP-C\obj\Debug\ProjectP-C.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques Is_DotNET_EXE - (no description) IsPE32 - (no description)

chromedriver.exe "C:\Users\test22\AppData\Local\Temp\chromedriver.exe"
1984

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
139.99.3.47	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Nov. 11, 2024, 9:55 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Nov. 11, 2024, 9:55 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 11, 2024, 9:55 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:55 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:55 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:55 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Nov. 11, 2024, 9:55 a.m.	buffer: Unhandled Exception: console_handle: 0x0000000b	1	1	0
WriteConsoleA Nov. 11, 2024, 9:55 a.m.	buffer: System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 139.99.3.47:80 at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress) at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception) --- End of inner exception stack trace --- at System.Net.WebClient.DownloadFile(Uri address, String fileName) at System.Net.WebClient.DownloadFile(String address, String fileName) at ProjectP_C.Program.Main(String[] args) console_handle: 0x0000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\smoke\Desktop\ProjectP-C\ProjectP-C\obj\Debug\ProjectP-C.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 11, 2024, 9:55 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00332000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00456000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:55 a.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Documents\P.lnk

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 11, 2024, 9:55 a.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (1 event)

host

139.99.3.47

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

139.99.3.47:80

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Lionic	Trojan.Win32.Alien.4!c
CAT-QuickHeal	Trojan.Multi
Skyhigh	BehavesLike.Win32.Agent.ch
ALYac	Trojan.GenericKD.74655824
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74655824
CrowdStrike	win/malicious_confidence_90% (W)
BitDefender	Trojan.GenericKD.74655824
Arcabit	Trojan.Generic.D4732850
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Generik.GJJWXXU
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Alien.gen
Alibaba	Trojan:MSIL/Alien.1f170d4d
NANO-Antivirus	Trojan.Win32.Alien.ktfrhy
MicroWorld-eScan	Trojan.GenericKD.74655824
Emsisoft	Trojan.GenericKD.74655824 (B)
F-Secure	Trojan.TR/Redcap.qofms
McAfeeD	ti!90A2F86A2A1D
CTX	exe.trojan.alien
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Trojan.GenericKD.74655824
Google	Detected
Avira	TR/Redcap.qofms
Antiy-AVL	Trojan/MSIL.Alien
Kingsoft	Win32.Troj.Unknown.a
Xcitium	Malware@#2w7921lf19wf5
Microsoft	Trojan:Win32/AgentTesla!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKD.74655824
Varist	W32/ABTrojan.TTEX-0053
AhnLab-V3	Trojan/Win.Generic.C5690448
McAfee	Artemis!6AD958806D2E
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Agent.MSIL
Ikarus	Trojan.SuspectCRC
Panda	Trj/Chgt.AD
Tencent	Malware.Win32.Gencirc.14206689
Yandex	Trojan.Alien!DGaPmM8TELM
MaxSecure	Trojan.Malware.73743839.susgen
Fortinet	PossibleThreat
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml

chromedriver.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All