Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 16, 2025, 10:05 p.m.	Jan. 16, 2025, 10:05 p.m.

Size	7.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`859db299e0810718e19c33f3802b7f74`
SHA256	`37bafe751e9307c119b84d7247f7c1d6b5c63810f4ad67dfc8c1a6d1479bf4b2`
CRC32	`A8721E4D`
ssdeep	`98304:eDNC89EF0yd7wyYnVz02/ZZmbZFu78XfrLTI4O6xr:eDNCQMrdxB2/XmbZ888fA`
PDB Path	Set-up.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature PhysicalDrive_20181001 - (no description) Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Malicious_Packer_Zero - Malicious Packer anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Set-up.exe.js
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

Set-up.pdb

The file contains an unknown PE resource name possibly indicative of a packer (6 events)

resource name	CSS
resource name	DICTIONARY
resource name	GIF
resource name	JS
resource name	PNG
resource name	SVG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 16, 2025, 10:05 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25 wscript+0x2fbd @ 0x532fbd BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75ac3ef4 registers.esp: 1571528 registers.edi: 0 registers.eax: 31625976 registers.ebp: 1571556 registers.edx: 1 registers.ebx: 0 registers.esi: 3203488 registers.ecx: 1931818460	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 16, 2025, 10:05 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
wscript+0x2fbd @ 0x532fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 1571528
registers.edi: 0
registers.eax: 31625976
registers.ebp: 1571556
registers.edx: 1
registers.ebx: 0
registers.esi: 3203488
registers.ecx: 1931818460

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.Common.D1508A1F
Lionic	Trojan.Win32.Crack.4!c
CAT-QuickHeal	Trojan.Ghanarava.17335400742b7f74
Skyhigh	Artemis!PUP
ALYac	Application.Agent.LTU
Cylance	Unsafe
VIPRE	Application.Agent.LTU
Sangfor	Trojan.Win32.Crack.Vbce
BitDefender	Application.Agent.LTU
K7GW	Unwanted-Program ( 005b1e471 )
K7AntiVirus	Unwanted-Program ( 005b1e471 )
Arcabit	Application.Agent.LTU
Elastic	malicious (moderate confidence)
ESET-NOD32	Win32/HackTool.Crack.OH potentially unsafe
Avast	FileRepMalware [Misc]
Kaspersky	Trojan.Win32.Agentb.mmni
MicroWorld-eScan	Application.Agent.LTU
Rising	Trojan.Agent!8.B1E (CLOUD)
Emsisoft	Application.Agent.LTU (B)
F-Secure	PrivacyRisk.SPR/Agent.fpgny
Zillya	Tool.Crack.Win32.5687
CTX	exe.trojan.crack
Sophos	Generic Reputation PUA (PUA)
FireEye	Application.Agent.LTU
Webroot	W32.Malware.Gen
Avira	SPR/Agent.fpgny
Antiy-AVL	HackTool/Win32.Crack
Kingsoft	Win32.Riskware.Crack.f
Gridinsoft	Hack.Win32.Patcher.cl
GData	Application.Agent.LTU
Varist	W32/ABApplication.CGEM-6063
McAfee	Artemis!859DB299E081
DeepInstinct	MALICIOUS
VBA32	Trojan.Agentb
Ikarus	PUA.HackTool.Crack
Zoner	Trojan.Win32.177262
Yandex	Trojan.Agentb!vzdHIc+VVIU
MaxSecure	Trojan.Malware.3411146.susgen
Fortinet	Riskware/Crack
AVG	FileRepMalware [Misc]
Paloalto	generic.ml

Set-up.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All