Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 3, 2025, 5:54 p.m.	Jan. 3, 2025, 5:57 p.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`119a00350e1a20e1a3ea01153b91001b`
SHA256	`f8d8066380ecd1341441dd2b0b8562c5ec662148c86376cbc5da494af8434cee`
CRC32	`198ADC20`
ssdeep	`49152:9ORCQxgswnpPJDps5v/FyqnL0t9sSeO6ONSuA7MjsfdVx7X+0YRYs:9nQxgswpPJDpS9bL0t9sS2ONSuA73DVA`
PDB Path	C:\Users\ZhuanZ\Desktop\åç½®å è½½\Release\åç½®å è½½.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Antivirus - Contains references to security software IsPE32 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

2.exe "C:\Users\test22\AppData\Local\Temp\2.exe"
1540

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\Users\ZhuanZ\Desktop\åç½®å è½½\Release\åç½®å è½½.pdb

Foreign language identified in PE resource (50 out of 66 events)

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00179f04

size

0x00000134

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0017a0f0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0017a0f0

size

0x00000144

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018a5b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018a5b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018a5b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018a5b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018a5b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018a5b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018a5b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018a5b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018a5b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018a5b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018a5b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018a5b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018a5b8

size

0x00000468

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018acfc

size

0x00000034

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018acfc

size

0x00000034

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018acfc

size

0x00000034

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018acfc

size

0x00000034

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b660

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b660

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b660

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b660

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b660

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b660

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b660

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b660

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b660

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b660

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b660

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b660

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b660

size

0x000001a6

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b660

size

0x000001a6

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x1

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0018b930

size

0x00000014

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (37 events)

Time & API	Arguments	Status	Return
Process32FirstW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: [System Process] process_identifier: 0	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: System process_identifier: 4	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: smss.exe process_identifier: 232	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: csrss.exe process_identifier: 308	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: wininit.exe process_identifier: 344	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: csrss.exe process_identifier: 356	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: services.exe process_identifier: 436	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: lsass.exe process_identifier: 452	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: lsm.exe process_identifier: 460	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: svchost.exe process_identifier: 560	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: svchost.exe process_identifier: 636	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: svchost.exe process_identifier: 716	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: svchost.exe process_identifier: 780	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: svchost.exe process_identifier: 984	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: svchost.exe process_identifier: 340	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: pw.exe process_identifier: 1888	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: mobsync.exe process_identifier: 1552	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: pw.exe process_identifier: 1684	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: wsqmcons.exe process_identifier: 792	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: taskhost.exe process_identifier: 880	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: sdclt.exe process_identifier: 1836	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: cmd.exe process_identifier: 156	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: SearchProtocolHost.exe process_identifier: 496	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: conhost.exe process_identifier: 1572	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: SearchFilterHost.exe process_identifier: 1440	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: 2.exe process_identifier: 1540	1	1
Process32NextW Jan. 3, 2025, 5:54 p.m.	snapshot_handle: 0x000000f0 process_name: pw.exe process_identifier: 1072	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00017400', u'virtual_address': u'0x00159000', u'entropy': 7.604032792240808, u'name': u'.data', u'virtual_size': u'0x0001e7e4'}

entropy

7.60403279224

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00014000', u'virtual_address': u'0x00178000', u'entropy': 6.835151820226618, u'name': u'.rsrc', u'virtual_size': u'0x00013f80'}

entropy

6.83515182023

description

A section with a high entropy has been found

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.XWorm.m!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Ghanarava.173488322591001b
Skyhigh	BehavesLike.Win32.Infected.th
ALYac	Trojan.GenericKD.75168494
Cylance	Unsafe
VIPRE	Trojan.GenericKD.75168494
Sangfor	Backdoor.Win32.Xworm.V9r2
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.75168494
K7GW	Riskware ( 00584baa1 )
K7AntiVirus	Riskware ( 00584baa1 )
Arcabit	Trojan.Generic.D47AFAEE
VirIT	Trojan.Win32.Genus.XLT
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/GenKryptik.HFBD
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Backdoor.Win32.XWorm.gen
Alibaba	Backdoor:Win32/XWorm.c61dba98
MicroWorld-eScan	Trojan.GenericKD.75168494
Rising	Backdoor.XWorm!8.1812C (CLOUD)
Emsisoft	Trojan.GenericKD.75168494 (B)
F-Secure	Backdoor.BDS/Redcap.yddhj
Zillya	Backdoor.XWorm.Win32.1324
TrendMicro	TROJ_GEN.R002C0DLQ24
McAfeeD	ti!F8D8066380EC
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
FireEye	Trojan.GenericKD.75168494
Avira	BDS/Redcap.yddhj
Kingsoft	Win32.Hack.XWorm.gen
Gridinsoft	Malware.Win32.XWorm.tr
Microsoft	Trojan:MSIL/XWorm!rfn
GData	Trojan.GenericKD.75168494
AhnLab-V3	Trojan/Win.Generic.C5708327
McAfee	Artemis!119A00350E1A
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Win32.Outbreak
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0DLQ24
Tencent	Backdoor.Win32.Runshell_l.16001577
MaxSecure	Trojan.Malware.237301595.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Backdoor:Win/XWorm.gyf

2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All