popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

winlog.exe

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 March 30, 2021, 6:18 p.m. March 30, 2021, 6:20 p.m.
Size 212.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 f04d2a73e6cbfa7448cddc8a720e8b7d
SHA256 98a634da7b379b6369d5b7445c7aeb5a58aa195c8f088bf11c84c77ba2c972fd
CRC32 8E35534F
ssdeep 6144:nAPpDdteXz3u9TJdAuQFB1EKXwWP+W9pKDGP6c:MDdJJizFP+W9pKyP6c
Yara
  • PE_Header_Zero - PE File Signature Zero
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_private_profile - Affect private profile
  • win_files_operation - Affect private profile
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49817 -> 85.233.160.22:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49817 -> 85.233.160.22:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49817 -> 85.233.160.22:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49823 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49823 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49823 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49827 -> 64.190.62.111:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49827 -> 64.190.62.111:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49827 -> 64.190.62.111:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49815 -> 184.168.131.241:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49815 -> 184.168.131.241:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49815 -> 184.168.131.241:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49821 -> 62.116.130.8:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49821 -> 62.116.130.8:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49821 -> 62.116.130.8:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49825 -> 91.195.240.94:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49825 -> 91.195.240.94:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49825 -> 91.195.240.94:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49819 -> 156.232.212.225:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49819 -> 156.232.212.225:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49819 -> 156.232.212.225:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49813 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49813 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49813 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49811 -> 52.54.251.87:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49811 -> 52.54.251.87:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49811 -> 52.54.251.87:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.starr2021.com/aqu2/?9r4P-=FDSTiZqVi7tV49ht7ud1XtYEDVJDcY6JSxG6s2Z614q4ZNLNR7otPsG8VHEGh5rPl6zGokL3&EjU4Sz=fdMTVRIPcB
suspicious_features GET method with no useragent header suspicious_request GET http://www.billionaireblinggg.com/aqu2/?9r4P-=ezJe0KVdq3fVmDouUeAbH78G8ipTOR7GTRL6he53iD6u4cwHuna0YSy1Ma1OKRV6+VXtkBZ5&EjU4Sz=fdMTVRIPcB
suspicious_features GET method with no useragent header suspicious_request GET http://www.biehnrecords.com/aqu2/?9r4P-=Nog7saUOe31pChY/asrlCYsF2JarF3pmjxxHAraosre8RL+8bBQEPfty0402us1yMe8cuyAg&EjU4Sz=fdMTVRIPcB
suspicious_features GET method with no useragent header suspicious_request GET http://www.infinapisoft.com/aqu2/?9r4P-=SveQ6QzNEG+Ue0UwYIovIxfrG5axgatZLqXsvY6ElwpmK3TkDnNFzNvAGoEWYf/jIVOkNNG5&EjU4Sz=fdMTVRIPcB
suspicious_features GET method with no useragent header suspicious_request GET http://www.duilian2013.com/aqu2/?9r4P-=5T8DNXyrvTvL3cvbCU8PV1xBAkBpMBooLRHVIm24TfVNXk1h2qJwczX0CVlXYEUDBsaTBuFr&EjU4Sz=fdMTVRIPcB
suspicious_features GET method with no useragent header suspicious_request GET http://www.autobrehna.com/aqu2/?9r4P-=wtLrPw5G3VNgAxvTFC+8Ts+SNzTM/uZNWocoEnFjjUI2fKD6Pab6SV03kGTmFfga64lrh9kx&EjU4Sz=fdMTVRIPcB
suspicious_features GET method with no useragent header suspicious_request GET http://www.playfulpainters.com/aqu2/?9r4P-=K5Kf6zcnOMGTDC2nOfN1gGfLaJuyFjl9HZYEWhqsekuFhK5NTINkzyKwNhoE1GWzMyDeLT6f&EjU4Sz=fdMTVRIPcB
suspicious_features GET method with no useragent header suspicious_request GET http://www.dottproject.com/aqu2/?9r4P-=8qPweG0M789YemAnK98F/0dsoL0lvZuH4dsjV8cLixPNFImJmQS9PHFW6D+/m7Lk8jThFiV8&EjU4Sz=fdMTVRIPcB
suspicious_features GET method with no useragent header suspicious_request GET http://www.420vaca.com/aqu2/?9r4P-=8Y6pPms9UfKezqwrIA4J0qFhxM8TaW5F1yAxNjmyXs8DMCT68aA9YDkaYQcQ9glKOSYhsy+X&EjU4Sz=fdMTVRIPcB
request POST http://www.starr2021.com/aqu2/
request GET http://www.starr2021.com/aqu2/?9r4P-=FDSTiZqVi7tV49ht7ud1XtYEDVJDcY6JSxG6s2Z614q4ZNLNR7otPsG8VHEGh5rPl6zGokL3&EjU4Sz=fdMTVRIPcB
request POST http://www.billionaireblinggg.com/aqu2/
request GET http://www.billionaireblinggg.com/aqu2/?9r4P-=ezJe0KVdq3fVmDouUeAbH78G8ipTOR7GTRL6he53iD6u4cwHuna0YSy1Ma1OKRV6+VXtkBZ5&EjU4Sz=fdMTVRIPcB
request POST http://www.biehnrecords.com/aqu2/
request GET http://www.biehnrecords.com/aqu2/?9r4P-=Nog7saUOe31pChY/asrlCYsF2JarF3pmjxxHAraosre8RL+8bBQEPfty0402us1yMe8cuyAg&EjU4Sz=fdMTVRIPcB
request POST http://www.infinapisoft.com/aqu2/
request GET http://www.infinapisoft.com/aqu2/?9r4P-=SveQ6QzNEG+Ue0UwYIovIxfrG5axgatZLqXsvY6ElwpmK3TkDnNFzNvAGoEWYf/jIVOkNNG5&EjU4Sz=fdMTVRIPcB
request POST http://www.duilian2013.com/aqu2/
request GET http://www.duilian2013.com/aqu2/?9r4P-=5T8DNXyrvTvL3cvbCU8PV1xBAkBpMBooLRHVIm24TfVNXk1h2qJwczX0CVlXYEUDBsaTBuFr&EjU4Sz=fdMTVRIPcB
request POST http://www.autobrehna.com/aqu2/
request GET http://www.autobrehna.com/aqu2/?9r4P-=wtLrPw5G3VNgAxvTFC+8Ts+SNzTM/uZNWocoEnFjjUI2fKD6Pab6SV03kGTmFfga64lrh9kx&EjU4Sz=fdMTVRIPcB
request POST http://www.playfulpainters.com/aqu2/
request GET http://www.playfulpainters.com/aqu2/?9r4P-=K5Kf6zcnOMGTDC2nOfN1gGfLaJuyFjl9HZYEWhqsekuFhK5NTINkzyKwNhoE1GWzMyDeLT6f&EjU4Sz=fdMTVRIPcB
request POST http://www.dottproject.com/aqu2/
request GET http://www.dottproject.com/aqu2/?9r4P-=8qPweG0M789YemAnK98F/0dsoL0lvZuH4dsjV8cLixPNFImJmQS9PHFW6D+/m7Lk8jThFiV8&EjU4Sz=fdMTVRIPcB
request POST http://www.420vaca.com/aqu2/
request GET http://www.420vaca.com/aqu2/?9r4P-=8Y6pPms9UfKezqwrIA4J0qFhxM8TaW5F1yAxNjmyXs8DMCT68aA9YDkaYQcQ9glKOSYhsy+X&EjU4Sz=fdMTVRIPcB
request POST http://www.starr2021.com/aqu2/
request POST http://www.billionaireblinggg.com/aqu2/
request POST http://www.biehnrecords.com/aqu2/
request POST http://www.infinapisoft.com/aqu2/
request POST http://www.duilian2013.com/aqu2/
request POST http://www.autobrehna.com/aqu2/
request POST http://www.playfulpainters.com/aqu2/
request POST http://www.dottproject.com/aqu2/
request POST http://www.420vaca.com/aqu2/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10002000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8768
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00850000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsk5.tmp\5e18vd6n7x.dll
file C:\Users\test22\AppData\Local\Temp\nsk5.tmp\5e18vd6n7x.dll
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x000001d0
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: csrss.exe
process_identifier: 300
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: wininit.exe
process_identifier: 348
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: csrss.exe
process_identifier: 364
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: winlogon.exe
process_identifier: 396
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: services.exe
process_identifier: 440
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: lsass.exe
process_identifier: 456
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: lsm.exe
process_identifier: 464
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: svchost.exe
process_identifier: 568
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: svchost.exe
process_identifier: 640
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: svchost.exe
process_identifier: 700
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: svchost.exe
process_identifier: 776
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: svchost.exe
process_identifier: 824
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: svchost.exe
process_identifier: 968
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: svchost.exe
process_identifier: 264
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: spoolsv.exe
process_identifier: 820
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: svchost.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: svchost.exe
process_identifier: 1192
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: srvany.exe
process_identifier: 1244
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: taskhost.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: KMService.exe
process_identifier: 1324
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: conhost.exe
process_identifier: 1376
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: sppsvc.exe
process_identifier: 1800
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: svchost.exe
process_identifier: 1876
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: dwm.exe
process_identifier: 1496
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: explorer.exe
process_identifier: 1848
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: SearchIndexer.exe
process_identifier: 2548
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: thunderbird.exe
process_identifier: 3960
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: pw.exe
process_identifier: 5008
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: audiodg.exe
process_identifier: 7936
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: splwow64.exe
process_identifier: 3928
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: SearchProtocolHost.exe
process_identifier: 3816
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: SearchFilterHost.exe
process_identifier: 7776
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: mobsync.exe
process_identifier: 6728
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: pw.exe
process_identifier: 3220
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: taskhost.exe
process_identifier: 1752
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: cmd.exe
process_identifier: 176
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: conhost.exe
process_identifier: 6668
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: pw.exe
process_identifier: 2504
1 1 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: winlog.exe
process_identifier: 3576
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 172.217.25.14
Cyren W32/Injector.AFV.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.EOZT
APEX Malicious
Avast Win32:MalwareX-gen [Trj]
Ikarus Trojan.NSIS.Agent
Microsoft Program:Win32/Wacapew.C!ml
McAfee Artemis!9A942BDBC7A3
Rising Trojan.Injector!8.C4 (TFE:5:3uSC0FHA2LO)
Fortinet W32/Injector.AFV!tr
AVG Win32:MalwareX-gen [Trj]
Process injection Process 3576 called NtSetContextThread to modify thread in remote process 8768
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4313232
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000204
process_identifier: 8768
1 0 0