Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 22, 2024, 3:31 p.m.	Nov. 22, 2024, 3:33 p.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0a8711fa1cb4189ab364c217db5f3620`
SHA256	`437c785b2093ffb955f17d63758cfb10e741509415cc55de8050e2d918716a4a`
CRC32	`113E3613`
ssdeep	`24576:Y/WWf67etHLvLdh+dLNuK5imSFRWct3BfA59jACSr6ggTan9mTYdGvhH0WygS:Uf66tXdh+147YcXIfUCc6bG9DgS`
Yara	Malicious_Library_Zero - Malicious_Library Malicious_Packer_Zero - Malicious Packer Antivirus - Contains references to security software IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

build.exe "C:\Users\test22\AppData\Local\Temp\build.exe"
2600
- csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2756

Name	Response	Post-Analysis Lookup
oportunidad-escolombiasegura.cfd		181.141.40.225

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 22, 2024, 3:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 22, 2024, 3:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 22, 2024, 3:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 22, 2024, 3:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 22, 2024, 3:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 22, 2024, 3:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 22, 2024, 3:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 22, 2024, 3:31 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 22, 2024, 3:31 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 22, 2024, 3:31 p.m.			0	0
IsDebuggerPresent Nov. 22, 2024, 3:31 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (5 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 22, 2024, 3:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076b130 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Nov. 22, 2024, 3:31 p.m.	buffer: f ²szÕ»í³-n÷o¤tÄAFSË1N¹! °;:Ò crypto_handle: 0x0076b130 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Nov. 22, 2024, 3:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076b270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 22, 2024, 3:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076b270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 22, 2024, 3:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076b2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 22, 2024, 3:31 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (3 events)

resource name	PNG
resource name	TEXTINCLUDE
resource name	None

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 22, 2024, 3:31 p.m.	stacktrace: 0x261d8d9 0x261d6a6 0xab5499 0xab5429 0xab517e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72821838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72821737 mscorlib+0x2d3711 @ 0x71ab3711 mscorlib+0x2cf92a @ 0x71aaf92a 0x970a72 0x970096 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc a1 80 46 9a 03 83 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x261d9c2 registers.esp: 5172860 registers.edi: 45791000 registers.eax: 0 registers.ebp: 5172912 registers.edx: 195 registers.ebx: 0 registers.esi: 45791148 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 22, 2024, 3:31 p.m.

stacktrace:

0x261d8d9
0x261d6a6
0xab5499
0xab5429
0xab517e
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72821838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72821737
mscorlib+0x2d3711 @ 0x71ab3711
mscorlib+0x2cf92a @ 0x71aaf92a
0x970a72
0x970096
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc a1 80 46 9a 03 83
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x261d9c2
registers.esp: 5172860
registers.edi: 45791000
registers.eax: 0
registers.ebp: 5172912
registers.edx: 195
registers.ebx: 0
registers.esi: 45791148
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 92 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 102400 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 61440 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 28672 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00543000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 region_size: 100003840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02080000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00549000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00558000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 212992 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 184320 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00563000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 647168 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049e000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 region_size: 671744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 167936 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 647168 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049e000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00971000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00972000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00974000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00975000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\Pictures\QuickTextPaste\Bin\QuickTextPaste.exe

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x0003a400', u'virtual_address': u'0x00001000', u'entropy': 6.827215242326267, u'name': u'.text', u'virtual_size': u'0x0003a2ea'}

entropy

6.82721524233

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00012200', u'virtual_address': u'0x00044000', u'entropy': 7.634244653448695, u'name': u'.data', u'virtual_size': u'0x0003c8fc'}

entropy

7.63424465345

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0013f000', u'virtual_address': u'0x00081000', u'entropy': 7.577425004999524, u'name': u'.rsrc', u'virtual_size': u'0x0013ef68'}

entropy

7.577425005

description

A section with a high entropy has been found

entropy

0.981383803909

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 22, 2024, 3:31 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 11b7872e260853b6f0c5ba0da4a375438e94101b

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 671744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000c8	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\QuickTextPaste

reg_value

C:\Users\test22\Pictures\QuickTextPaste\Bin\QuickTextPaste.exe

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: base_address: 0xfffde008 process_identifier: 2756 process_handle: 0x000000c8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2600 called NtSetContextThread to modify thread in remote process 2756
NtSetContextThread Nov. 22, 2024, 3:31 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 2222574 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c4 process_identifier: 2756	1	0	0

Executed a process and injected code into it, probably while unpacking (10 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 22, 2024, 3:31 p.m.	thread_identifier: 2760 thread_handle: 0x000000c4 process_identifier: 2756 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe stack_pivoted: 0 creation_flags: 2 (DEBUG_ONLY_THIS_PROCESS) inherit_handles: 0 process_handle: 0x000000c8	1	1
NtGetContextThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x000000c4	1	0
NtAllocateVirtualMemory Nov. 22, 2024, 3:31 p.m.	process_identifier: 2756 region_size: 671744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000c8	1	0
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: base_address: 0x00180000 process_identifier: 2756 process_handle: 0x000000c8	1	1
WriteProcessMemory Nov. 22, 2024, 3:31 p.m.	buffer: base_address: 0xfffde008 process_identifier: 2756 process_handle: 0x000000c8	1	1
NtSetContextThread Nov. 22, 2024, 3:31 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 2222574 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c4 process_identifier: 2756	1	0
NtResumeThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2756	1	0
NtResumeThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2756	1	0
NtResumeThread Nov. 22, 2024, 3:31 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2756	1	0
NtResumeThread Nov. 22, 2024, 3:32 p.m.	thread_handle: 0x00000350 suspend_count: 1 process_identifier: 2756	1	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Loader.4!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Loader
Skyhigh	Artemis!Trojan
ALYac	Trojan.GenericKD.74864883
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74864883
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.74864883
K7GW	Trojan ( 005bd89c1 )
K7AntiVirus	Trojan ( 005bd89c1 )
Arcabit	Trojan.Generic.D47658F3
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Generik.GBNGPYT
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Loader.gen
Alibaba	Trojan:Win32/Loader.9f6bf136
NANO-Antivirus	Trojan.Win32.Loader.ktmwgu
MicroWorld-eScan	Trojan.GenericKD.74864883
Rising	Trojan.Injector!1.FCCE (CLASSIC)
Emsisoft	Trojan.GenericKD.74864883 (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen2
DrWeb	Trojan.Inject5.12078
TrendMicro	BKDR_ZEGOST.SM51
McAfeeD	ti!437C785B2093
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.loader
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.0a8711fa1cb4189a
Webroot	Win.Trojan.Gen
Google	Detected
Avira	TR/Crypt.XPACK.Gen2
Antiy-AVL	Trojan/Win32.Loader
Kingsoft	Win32.Trojan.Loader.gen
Xcitium	Malware@#ms8arnbzpp53
Microsoft	Trojan:Win32/Leonem
GData	Trojan.GenericKD.74864883
Varist	W32/ABTrojan.QWEG-6867
AhnLab-V3	Backdoor/Win.Zegost.C5697234
McAfee	Artemis!0A8711FA1CB4
DeepInstinct	MALICIOUS
VBA32	Trojan.Loader
Malwarebytes	Backdoor.Bot
Ikarus	Trojan.Win32.Krypt
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	BKDR_ZEGOST.SM51
Tencent	Win32.Trojan.Loader.Xmhl

build.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All