Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 14, 2025, 3:10 p.m.	Jan. 14, 2025, 3:14 p.m.

Size	2.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`cb7654efb6866deb786eacaac42192f8`
SHA256	`c82cfeecdcbe7973389c9e37da260987ad2e5b731ec67455a7c86454eb02a1df`
CRC32	`461B9168`
ssdeep	`49152:ywREDDMKSqtB7Rbp8ssPO6V6GF9wYERyG:ywREgIBR2F6swrRH`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Admin_Tool_IN_Zero - Admin Tool Sysinternals IsPE32 - (no description) Generic_Malware_Zero - Generic Malware mzp_file_format - MZP(Delphi) file format UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

GKPXAP.exe "C:\Users\test22\AppData\Local\Temp\GKPXAP.exe"
1700
- GKPXAP.tmp "C:\Users\test22\AppData\Local\Temp\is-59N8U.tmp\GKPXAP.tmp" /SL5="$40028,1362346,857600,C:\Users\test22\AppData\Local\Temp\GKPXAP.exe"
  1440
  - AutoClicker.exe "C:\Program Files\AutoClicker\AutoClicker.exe"
    2132
  - cmd.exe cmd /c ""C:\Program Files\AutoClicker\AutoClickerUpdate.bat" "
    2232
    - AutoClicker.exe AutoClicker.exe /update
      2304

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 14, 2025, 3:10 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 14, 2025, 3:10 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 14, 2025, 3:10 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 14, 2025, 3:03 p.m.	stacktrace: 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x7fef7c97ef8 registers.r14: 0 registers.r15: 197122 registers.rcx: 197122 registers.rsi: 1 registers.r10: 197122 registers.rbx: 0 registers.rsp: 2080296 registers.r11: 0 registers.r8: 1 registers.r9: 0 registers.rdx: 28 registers.r12: 0 registers.rbp: 12152368 registers.rdi: 0 registers.rax: 2080400 registers.r13: 28	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 14, 2025, 3:03 p.m.

stacktrace:

0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x7fef7c97ef8
registers.r14: 0
registers.r15: 197122
registers.rcx: 197122
registers.rsi: 1
registers.r10: 197122
registers.rbx: 0
registers.rsp: 2080296
registers.r11: 0
registers.r8: 1
registers.r9: 0
registers.rdx: 28
registers.r12: 0
registers.rbp: 12152368
registers.rdi: 0
registers.rax: 2080400
registers.r13: 28

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 14, 2025, 3:10 p.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01250000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 14, 2025, 3:10 p.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 688128 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 14, 2025, 3:10 p.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01307000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 14, 2025, 3:10 p.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 155648 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01309000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 14, 2025, 3:10 p.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 14, 2025, 3:03 p.m.	process_identifier: 2132 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 14, 2025, 3:03 p.m.	process_identifier: 2132 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 14, 2025, 3:03 p.m.	process_identifier: 2304 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 14, 2025, 3:03 p.m.	process_identifier: 2304 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Program Files\AutoClicker\AutoClickerUpdate.bat

Drops a binary and executes it (1 event)

file	C:\Program Files\AutoClicker\AutoClickerUpdate.bat

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-59N8U.tmp\GKPXAP.tmp

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 14, 2025, 3:10 p.m.	show_type: 0 filepath_r: C:\Program Files\AutoClicker\AutoClicker.exe parameters: filepath: C:\Program Files\AutoClicker\AutoClicker.exe	1	1	0
ShellExecuteExW Jan. 14, 2025, 3:10 p.m.	show_type: 0 filepath_r: C:\Program Files\AutoClicker\AutoClickerUpdate.bat parameters: filepath: C:\Program Files\AutoClicker\AutoClickerUpdate.bat	1	1	0

Potentially malicious URLs were found in the process memory dump (2 events)

url	https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation
url	http://schemas.openxmlformats.org/markup-compatibility/2006

Yara rule detected in process memory (32 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names.	rule	vmdetect_misc
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW Jan. 14, 2025, 3:10 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{9469F554-E8FD-41CE-A0B7-925319EAAAF6}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9469F554-E8FD-41CE-A0B7-925319EAAAF6}_is1		2	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2232 resumed a thread in remote process 2304
NtResumeThread Jan. 14, 2025, 3:10 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2304	1	0	0

Detects the presence of Wine emulator (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Jan. 14, 2025, 3:10 p.m.	ordinal: 0 function_address: 0x0125f7a8 function_name: wine_get_version module: ntdll module_address: 0x778a0000		3221225785	0
LdrGetProcedureAddress Jan. 14, 2025, 3:10 p.m.	ordinal: 0 function_address: 0x010c17b0 function_name: wine_get_version module: ntdll module_address: 0x778a0000		3221225785	0

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.FSAutcik.4!c
CAT-QuickHeal	Trojan.Riskware
Cylance	Unsafe
K7GW	Riskware ( 00584baa1 )
K7AntiVirus	Riskware ( 00584baa1 )
Avast	Win32:Malware-gen
Alibaba	Trojan:Win64/FSAutcik.4983d5f2
DrWeb	Trojan.PWS.Siggen3.39103
McAfeeD	ti!C82CFEECDCBE
CTX	exe.trojan.fsautcik
Sophos	Mal/Generic-S
Google	Detected
Microsoft	Trojan:Win64/FSAutcik
GData	Win32.Trojan.Agent.SM0VIW
AhnLab-V3	Dropper/Win.Proxyware.C5701827
McAfee	Artemis!CB7654EFB686
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4230244640
Ikarus	Trojan.Win64.FSAutcik
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
alibabacloud	Trojan:Win/FSAutcik.Gen

GKPXAP.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All