Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 1, 2025, 8:33 a.m.	May 1, 2025, 8:36 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`07b77fb8f45c51285430c785979c4f3c`
SHA256	`f50b65259e1dbad9e27c81e15d17962895c9ee8d3e9e981a6fac7c01a77e6b60`
CRC32	`6ADFD41F`
ssdeep	`24576:8nsJ39LyjbJkQFMhmC+6GD9m+/uphXo3yUhF0ix:8nsHyjtk2MYC5GDA+wXo3R04`
Yara	PE_Header_Zero - PE File Signature ASPack_Zero - ASPack packed file mzp_file_format - MZP(Delphi) file format Malicious_Library_Zero - Malicious_Library DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

es.exe "C:\Users\test22\AppData\Local\Temp\es.exe"
2072
- ._cache_es.exe "C:\Users\test22\AppData\Local\Temp\._cache_es.exe"
  2248
- Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2312

Name	Response	Post-Analysis Lookup
docs.google.com	A 142.250.71.238	172.217.161.206
xred.mooo.com
drive.usercontent.google.com	A 142.250.76.1	142.250.206.193
www.dropbox.com	CNAME www-env.dropbox-dns.com A 162.125.84.18	162.125.84.18
freedns.afraid.org	A 69.42.215.252	69.42.215.252

IP Address	Status	Action
142.250.198.46	Active	Moloch
142.250.71.129	Active	Moloch
142.250.71.238	Active	Moloch
142.250.76.1	Active	Moloch
162.125.84.18	Active	Moloch
164.124.101.2	Active	Moloch
69.42.215.252	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2015633	ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 142.250.71.238:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 162.125.84.18:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 142.250.76.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 162.125.84.18:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49170 142.250.71.238:443	C=US, O=Google Trust Services, CN=WE2	CN=*.google.com	67:52:2f:ab:93:de:39:da:94:50:11:ae:8b:37:cb:88:8f:dc:56:7d
TLSv1 192.168.56.103:49171 142.250.76.1:443	C=US, O=Google Trust Services, CN=WE2	CN=*.usercontent.google.com	e2:75:33:38:ea:c5:6b:07:01:99:0c:e5:64:b0:63:79:cc:b5:d4:83

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 1, 2025, 8:33 a.m.	computer_name: TEST22-PC	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ May 1, 2025, 8:33 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x959fc @ 0x4959fc BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 55442908 registers.edi: 55443096 registers.eax: 55442908 registers.ebp: 55442988 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11001 registers.ecx: 7	1
__exception__ May 1, 2025, 8:33 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x95a83 @ 0x495a83 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 55440720 registers.edi: 55440908 registers.eax: 55440720 registers.ebp: 55440800 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11004 registers.ecx: 7	1
__exception__ May 1, 2025, 8:33 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x95b0a @ 0x495b0a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 55438532 registers.edi: 55438720 registers.eax: 55438532 registers.ebp: 55438612 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11001 registers.ecx: 7	1

Connects to a Dynamic DNS Domain (1 event)

domain

xred.mooo.com

Performs some HTTP requests (5 events)

request	GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
request	GET https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request	GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request	GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
request	GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 1, 2025, 8:33 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory May 1, 2025, 8:33 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (12 events)

name

RT_ICON

language

LANG_TURKISH

filetype

dBase IV DBT of @.DBF, block length 8192, next free block index 40

sublanguage

SUBLANG_DEFAULT

offset

0x000b39f8

size

0x000010a8

name

RT_ICON

language

LANG_TURKISH

filetype

dBase IV DBT of @.DBF, block length 8192, next free block index 40

sublanguage

SUBLANG_DEFAULT

offset

0x000b39f8

size

0x000010a8

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x0016a1b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x0016a1b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x0016a1b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x0016a1b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x0016a1b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x0016a1b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x0016a1b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x0016a1b8

size

0x000047d3

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0016ea18

size

0x00000014

name

RT_VERSION

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0016ea2c

size

0x00000304

Downloads a file or document from Google Drive (1 event)

domain

docs.google.com

Creates executable files on the filesystem (2 events)

file	C:\ProgramData\Synaptics\Synaptics.dll
file	C:\Users\test22\AppData\Local\Temp\._cache_es.exe

Looks up the Dropbox cloud service (1 event)

domain

www.dropbox.com

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\._cache_es.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\._cache_es.exe

Communicates with host for which no DNS query was performed (2 events)

host	142.250.198.46
host	142.250.71.129

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver

reg_value

C:\ProgramData\Synaptics\Synaptics.exe

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA May 1, 2025, 8:33 a.m.	thread_identifier: 0 callback_function: 0x030e3540 hook_identifier: 2 (WH_KEYBOARD) module_address: 0x030e0000	1	197103	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	Synaptics.exe				useragent	MyApp
process	Synaptics.exe				useragent	Synaptics.exe

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.DarkKomet.tp6k
Cynet	Malicious (score: 100)
CAT-QuickHeal	Sus.Nocivo.E0011
Skyhigh	BehavesLike.Win32.Synaptics.th
ALYac	Trojan.GenericKD.76268367
Cylance	Unsafe
VIPRE	Trojan.GenericKD.76268367
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.76268367
K7GW	Trojan ( 000112511 )
K7AntiVirus	Trojan ( 000112511 )
Arcabit	HEUR.VBA.Trojan.d
Symantec	W32.Zorex
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Delf.NBX
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Trojan.Emotet-9850453-0
Kaspersky	Backdoor.Win32.DarkKomet.hqxy
Alibaba	Backdoor:Win32/DarkKomet.353
NANO-Antivirus	Trojan.Win32.DarkKomet.fazbwq
MicroWorld-eScan	Trojan.GenericKD.76268367
Rising	Virus.Synaptics!1.E51C (CLASSIC)
Emsisoft	Trojan.GenericKD.76268367 (B)
F-Secure	Dropper.DR/Delphi.Gen
DrWeb	Win32.HLLW.Siggen.10555
Zillya	Trojan.Delf.Win32.76144
TrendMicro	Virus.Win32.NAPWHICH.B
McAfeeD	ti!F50B65259E1D
CTX	exe.trojan.generic
Sophos	ElReceptor Keyboard Hook (PUA)
SentinelOne	Static AI - Malicious PE
Jiangmin	Win32/Synaptics.Gen
Webroot	W32.Malware.gen
Google	Detected
Avira	DR/Delphi.Gen
Antiy-AVL	Virus/Win32.DarkKomet.a
Gridinsoft	Trojan.Win32.Downloader.mz!n
Xcitium	Virus.Win32.Agent.DE@74b38h
Microsoft	Worm:Win32/AutoRun!atmn
ViRobot	Win32.Zorex.A
GData	Win32.Backdoor.Agent.AXS
Varist	W32/Trojan.YMOP-5085
AhnLab-V3	Win32/Zorex.X1799
Acronis	suspicious
McAfee	W32/Synaptics
DeepInstinct	MALICIOUS
VBA32	TScope.Trojan.Delf

es.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All