Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 11, 2025, 10:50 a.m.	March 11, 2025, 10:52 a.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`882396942bded48550ad6cddeb511480`
SHA256	`ad50c64c49f0ea386631f5c53a2ee7bd952e5168f5234704f9cb4f9be32f5944`
CRC32	`E4B0014B`
ssdeep	`24576:r1xwO3PFZ7+z8scoC88rvZuDtLdG7N5obiBFvyHY4CI7ROBz:r1xRF1leAHMiBm7gz`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) mzp_file_format - MZP(Delphi) file format UPX_Zero - UPX packed file

vcc.exe "C:\Users\test22\AppData\Local\Temp\vcc.exe"
2004
- cmd.exe cmd /c ""C:\\Users\\All Users\\3046.cmd""
  2384
  - esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
    2508
- cmd.exe cmd /c ""C:\\Users\\All Users\\204.cmd""
  2420
  - PING.EXE ping 127.0.0.1 -n 10
    2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 11, 2025, 10:50 a.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 11, 2025, 10:50 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW March 11, 2025, 10:50 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleA March 11, 2025, 10:50 a.m.	buffer: FAILURE: GetOverlappedResult (read) returned wrong number of bytes: The operation completed successfully. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 11, 2025, 10:50 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

Allocates read-write-execute memory (usually to unpack itself) (50 out of 549 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3567587327 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536650 process_handle: 0xffffffff		3221225496

Creates executable files on the filesystem (4 events)

file	C:\Users\All Users\neo.cmd
file	C:\Users\All Users\204.cmd
file	C:\Users\test22\Links\daphpvwO.pif
file	C:\Users\All Users\3046.cmd

Creates a suspicious process (1 event)

cmdline

C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o

Drops a binary and executes it (1 event)

file	C:\Users\Public\alpha.pif

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 151552 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02ff1000 process_handle: 0xffffffff	1	0	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping 127.0.0.1 -n 10

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2720 region_size: 472182784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0	0
NtAllocateVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2720 region_size: 472179234 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4		3221225496	0

Deletes executed files from disk (1 event)

file

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2004 manipulating memory of non-child process 2720
NtUnmapViewOfSection March 11, 2025, 10:50 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2720 process_handle: 0x000002a4	1	0	0
NtAllocateVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2720 region_size: 472182784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0	0
NtAllocateVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2720 region_size: 472179234 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4		3221225496	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2004 called NtSetContextThread to modify thread in remote process 2720
NtSetContextThread March 11, 2025, 10:50 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4246831 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a0 process_identifier: 2720	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2004 resumed a thread in remote process 2720
NtResumeThread March 11, 2025, 10:50 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2720	1	0	0

Executed a process and injected code into it, probably while unpacking (14 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 11, 2025, 10:50 a.m.	thread_identifier: 2388 thread_handle: 0x000002a0 process_identifier: 2384 current_directory: filepath: track: 1 command_line: C:\\Users\\All Users\\3046.cmd filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000002a4	1	1
CreateProcessInternalW March 11, 2025, 10:50 a.m.	thread_identifier: 2424 thread_handle: 0x000002a0 process_identifier: 2420 current_directory: filepath: track: 1 command_line: C:\\Users\\All Users\\204.cmd filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000002a4	1	1
CreateProcessInternalW March 11, 2025, 10:50 a.m.	thread_identifier: 2724 thread_handle: 0x000002a0 process_identifier: 2720 current_directory: filepath: track: 1 command_line: C:\\Users\\test22\\Links\daphpvwO.pif filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtGetContextThread March 11, 2025, 10:50 a.m.	thread_handle: 0x000002a0	1	0
NtUnmapViewOfSection March 11, 2025, 10:50 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2720 process_handle: 0x000002a4	1	0
NtAllocateVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2720 region_size: 472182784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4	1	0
NtAllocateVirtualMemory March 11, 2025, 10:50 a.m.	process_identifier: 2720 region_size: 472179234 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4		3221225496
NtSetContextThread March 11, 2025, 10:50 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4246831 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a0 process_identifier: 2720	1	0
NtResumeThread March 11, 2025, 10:50 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2720	1	0
CreateProcessInternalW March 11, 2025, 10:50 a.m.	thread_identifier: 2512 thread_handle: 0x00000084 process_identifier: 2508 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\esentutl.exe track: 1 command_line: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o filepath_r: C:\Windows\System32\esentutl.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW March 11, 2025, 10:50 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\Public\alpha.pif track: 0 command_line: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " filepath_r: C:\Users\Public\alpha.pif stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000		0
CreateProcessInternalW March 11, 2025, 10:50 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\Public\alpha.pif track: 0 command_line: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" filepath_r: C:\Users\Public\alpha.pif stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000		0
CreateProcessInternalW March 11, 2025, 10:50 a.m.	thread_identifier: 2548 thread_handle: 0x0000008c process_identifier: 2544 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping 127.0.0.1 -n 10 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
NtResumeThread March 11, 2025, 10:50 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2544	1	0

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.ModiLoader.b!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Ghanarava.1741624869511480
Skyhigh	BehavesLike.Win32.Generic.tc
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.ModiLoader.AHI
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Trojan.Modiloader-10042434-0
Kaspersky	HEUR:Trojan-Dropper.Win32.Injector.gen
Alibaba	TrojanDropper:Win32/Injector.b6e21365
Rising	Downloader.Agent!1.EFE4 (CLASSIC)
McAfeeD	ti!AD50C64C49F0
CTX	exe.trojan.modiloader
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.882396942bded485
Google	Detected
Antiy-AVL	GrayWare/Win32.Wacapew
Kingsoft	malware.kb.a.995
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/DBatLoader.VCL!MTB
Varist	W32/ModiLoader.J.gen!Eldorado
AhnLab-V3	Trojan/Win.Leonem.C5324271
McAfee	Artemis!882396942BDE
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.3573899245
Ikarus	Trojan.Inject
Tencent	OB:Trojan-DL.Win32.Modiloader.16001687
Yandex	Trojan.Igent.b31GyE.7
huorong	TrojanDownloader/ModiLoader.a
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/ModiLoader.ABE!tr
AVG	Win32:DropperX-gen [Drp]
alibabacloud	Trojan[dropper]:Win/ModiLoader.AJE

vcc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All