Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 20, 2025, 3:40 a.m.	Feb. 20, 2025, 3:41 a.m.

Size	5.7MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`306cd3926c2c44af0a1882041f2ec95a`
SHA256	`2272ef32d4bd76103535ef3cb4f0b7e6acf1ab1bced348d10767facd89215147`
CRC32	`9B48EE8F`
ssdeep	`98304:9v/1eH+fR8e0jvbI8S5MfWTrndx7/ssutayxIJByQm7rH0ZMwTiklOXlZmC:jeefEjDlMMfWXndxIsuoyxAyH0lWckl`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) mzp_file_format - MZP(Delphi) file format UPX_Zero - UPX packed file

孟轩网1.0 64位.exe "C:\Users\test22\AppData\Local\Temp\孟轩网1.0 64位.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Feb. 20, 2025, 3:33 a.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 20, 2025, 3:33 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 20, 2025, 3:33 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d __dbk_fcall_wrapper-0xc35d _iQ1+0x11643 @ 0xa71643 __dbk_fcall_wrapper-0xc33f _iQ1+0x11661 @ 0xa71661 __dbk_fcall_wrapper+0x51fd43 dbkFCallWrapperAddr-0x447bcd _iQ1+0x53d6e3 @ 0xf9d6e3 __dbk_fcall_wrapper+0x52871e dbkFCallWrapperAddr-0x43f1f2 _iQ1+0x5460be @ 0xfa60be __dbk_fcall_wrapper+0x7fe9c0 dbkFCallWrapperAddr-0x168f50 _iQ1+0x81c360 @ 0x127c360 __dbk_fcall_wrapper+0x7fd850 dbkFCallWrapperAddr-0x16a0c0 _iQ1+0x81b1f0 @ 0x127b1f0 __dbk_fcall_wrapper+0x3057c5 dbkFCallWrapperAddr-0x66214b _iQ1+0x323165 @ 0xd83165 __dbk_fcall_wrapper+0x305165 dbkFCallWrapperAddr-0x6627ab _iQ1+0x322b05 @ 0xd82b05 __dbk_fcall_wrapper-0xddc0 _iQ1+0xfbe0 @ 0xa6fbe0 __dbk_fcall_wrapper+0x30500b dbkFCallWrapperAddr-0x662905 _iQ1+0x3229ab @ 0xd829ab __dbk_fcall_wrapper+0x316df9 dbkFCallWrapperAddr-0x650b17 _iQ1+0x334799 @ 0xd94799 __dbk_fcall_wrapper+0x87e7d2 dbkFCallWrapperAddr-0xe913e _iQ1+0x89c172 @ 0x12fc172 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 42141 exception.address: 0x7fefd4fa49d registers.r14: 0 registers.r15: 0 registers.rcx: 1765488 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1769008 registers.r11: 1767104 registers.r8: 0 registers.r9: 0 registers.rdx: 328 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1996273463 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Feb. 20, 2025, 3:33 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d
__dbk_fcall_wrapper-0xc35d _iQ1+0x11643 @ 0xa71643
__dbk_fcall_wrapper-0xc33f _iQ1+0x11661 @ 0xa71661
__dbk_fcall_wrapper+0x51fd43 dbkFCallWrapperAddr-0x447bcd _iQ1+0x53d6e3 @ 0xf9d6e3
__dbk_fcall_wrapper+0x52871e dbkFCallWrapperAddr-0x43f1f2 _iQ1+0x5460be @ 0xfa60be
__dbk_fcall_wrapper+0x7fe9c0 dbkFCallWrapperAddr-0x168f50 _iQ1+0x81c360 @ 0x127c360
__dbk_fcall_wrapper+0x7fd850 dbkFCallWrapperAddr-0x16a0c0 _iQ1+0x81b1f0 @ 0x127b1f0
__dbk_fcall_wrapper+0x3057c5 dbkFCallWrapperAddr-0x66214b _iQ1+0x323165 @ 0xd83165
__dbk_fcall_wrapper+0x305165 dbkFCallWrapperAddr-0x6627ab _iQ1+0x322b05 @ 0xd82b05
__dbk_fcall_wrapper-0xddc0 _iQ1+0xfbe0 @ 0xa6fbe0
__dbk_fcall_wrapper+0x30500b dbkFCallWrapperAddr-0x662905 _iQ1+0x3229ab @ 0xd829ab
__dbk_fcall_wrapper+0x316df9 dbkFCallWrapperAddr-0x650b17 _iQ1+0x334799 @ 0xd94799
__dbk_fcall_wrapper+0x87e7d2 dbkFCallWrapperAddr-0xe913e _iQ1+0x89c172 @ 0x12fc172
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 42141
exception.address: 0x7fefd4fa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 1765488
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1769008
registers.r11: 1767104
registers.r8: 0
registers.r9: 0
registers.rdx: 328
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1996273463
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 20, 2025, 3:33 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Feb. 20, 2025, 3:33 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000009c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\HTML2EXE\WebView2Loader64.dll

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

Cylance

Unsafe

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x003f7800', u'virtual_address': u'0x009eb000', u'entropy': 7.922762451080679, u'name': u'UPX1', u'virtual_size': u'0x003f8000'}

entropy

7.92276245108

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001b2c00', u'virtual_address': u'0x00de3000', u'entropy': 7.980332827112516, u'name': u'.rsrc', u'virtual_size': u'0x001b3000'}

entropy

7.98033282711

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects virtualization software with SCSI Disk Identifier trick(s) (2 events)

registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count
registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Feb. 20, 2025, 3:33 a.m.	ordinal: 0 function_address: 0xffffffffffffffff function_name: wine_get_version module: ntdll module_address: 0x0000000076d30000		-1073741511	0

孟轩网1.0 64位.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All