popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

KHieqeOsagkmlGIuXc56

UPX Malicious Library PE64 PE File DLL OS Processor Check
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 13, 2022, 11:03 a.m. May 13, 2022, 11:15 a.m.
Size 764.5KB
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 17405af200d73c164f1cc2fbee421f0b
SHA256 d2ca9798cc615221a1a435df9ec413ed27c3796bf255870b7235b8538c019175
CRC32 84104DB9
ssdeep 12288:e1NKDzZKRpnBlD7MGVrdjF3hRcTsApSvHQdOzyK7zjwOjmStjNwgraKRT61cKGNx:S4DzZKnH4ERGY61WN+
Yara
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file
  • IsDLL - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
107.182.225.142 Active Moloch
149.56.131.28 Active Moloch
150.95.66.124 Active Moloch
158.69.222.101 Active Moloch
159.65.88.10 Active Moloch
172.104.251.154 Active Moloch
185.157.82.211 Active Moloch
196.218.30.83 Active Moloch
212.24.98.99 Active Moloch
45.176.232.124 Active Moloch
58.227.42.236 Active Moloch
63.142.250.212 Active Moloch
91.207.28.33 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49175 -> 150.95.66.124:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.101:49176 -> 150.95.66.124:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.101:49183 -> 149.56.131.28:8080 2404305 ET CNC Feodo Tracker Reported CnC Server group 6 A Network Trojan was detected
TCP 192.168.56.101:49183 -> 149.56.131.28:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 149.56.131.28:8080 -> 192.168.56.101:49185 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49188 -> 158.69.222.101:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.101:49194 -> 58.227.42.236:80 2404318 ET CNC Feodo Tracker Reported CnC Server group 19 A Network Trojan was detected
TCP 158.69.222.101:443 -> 192.168.56.101:49190 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49194 -> 58.227.42.236:80 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 58.227.42.236:80 -> 192.168.56.101:49195 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49193 -> 58.227.42.236:80 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 150.95.66.124:8080 -> 192.168.56.101:49177 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49184 -> 149.56.131.28:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.101:49189 -> 158.69.222.101:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
section .00cfg
section .gxfg
section .retplne
section _RDATA
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 

        
      
      
      

    
  
    
      
        exception.symbol:
        
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.address:
        0x0
        

      
    
  
    
      
        registers.r14:
        0
        

      
        registers.r15:
        0
        

      
        registers.rcx:
        4294967295
        

      
        registers.rsi:
        0
        

      
        registers.r10:
        -72340172838076673
        

      
        registers.rbx:
        327994
        

      
        registers.rsp:
        2750504
        

      
        registers.r11:
        -9187201950435737472
        

      
        registers.r8:
        4309082
        

      
        registers.r9:
        10
        

      
        registers.rdx:
        6412505479
        

      
        registers.r12:
        10
        

      
        registers.rbp:
        4308928
        

      
        registers.rdi:
        4309112
        

      
        registers.rax:
        0
        

      
        registers.r13:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2052
        
      
      
      

    
  
    
      region_size:
      
        
          4096
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000001c80000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2052
        
      
      
      

    
  
    
      region_size:
      
        
          188416
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000001c90000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2052
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007391c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          788
        
      
      
      

    
  
    
      region_size:
      
        
          4096
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000001c80000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          788
        
      
      
      

    
  
    
      region_size:
      
        
          188416
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000001c90000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          788
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007391c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1660
        
      
      
      

    
  
    
      region_size:
      
        
          4096
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000001c80000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1660
        
      
      
      

    
  
    
      region_size:
      
        
          188416
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000001c90000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1660
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007391c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2480
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000018006a000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2480
        
      
      
      

    
  
    
      region_size:
      
        
          4096
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000001d10000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2480
        
      
      
      

    
  
    
      region_size:
      
        
          188416
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000001d20000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2480
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000007fefd2b7000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2480
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000007fefdbef000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2480
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000007fefd969000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2480
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          8192
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000077160000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2480
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000007feff72d000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2480
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000076d9e000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2480
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x00000000772f0000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2480
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000007fefbbba000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    cmdline
                                    C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WEegrnivjptPwXT\cczMSRE.dll"
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
Process32NextW

  
  
    
      
    
  


  
    
      snapshot_handle:
      
        
          0x0000000000000148
        
      
      
      

    
  
    
      process_name:
      
        
          SearchProtocolHost.exe
        
      
      
      

    
  
    
      process_identifier:
      
        
          2688
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
Process32NextW

  
  
    
      
    
  


  
    
      snapshot_handle:
      
        
          0x0000000000000148
        
      
      
      

    
  
    
      process_name:
      
        
          rundll32.exe
        
      
      
      

    
  
    
      process_identifier:
      
        
          2864
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
Process32NextW

  
  
    
      
    
  


  
    
      snapshot_handle:
      
        
          0x0000000000000148
        
      
      
      

    
  
    
      process_name:
      
        
          rundll32.exe
        
      
      
      

    
  
    
      process_identifier:
      
        
          2052
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
Process32NextW

  
  
    
      
    
  


  
    
      snapshot_handle:
      
        
          0x0000000000000148
        
      
      
      

    
  
    
      process_name:
      
        
          svchost.exe
        
      
      
      

    
  
    
      process_identifier:
      
        
          2316
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
Process32NextW

  
  
    
      
    
  


  
    
      snapshot_handle:
      
        
          0x0000000000000148
        
      
      
      

    
  
    
      process_name:
      
        
          WerFault.exe
        
      
      
      

    
  
    
      process_identifier:
      
        
          2420
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
Process32NextW

  
  
    
      
    
  


  
    
      snapshot_handle:
      
        
          0x0000000000000148
        
      
      
      

    
  
    
      process_name:
      
        
          regsvr32.exe
        
      
      
      

    
  
    
      process_identifier:
      
        
          2480
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    
                                        
                                    
                                        
                                            section
                                            {u'size_of_data': u'0x0003ea00', u'virtual_address': u'0x00086000', u'entropy': 7.260643782340062, u'name': u'.rsrc', u'virtual_size': u'0x0003e950'}
                                        
                                    
                                        
                                            entropy
                                            7.26064378234
                                        
                                    
                                        
                                            description
                                            A section with a high entropy has been found
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            entropy
                                            0.328094302554
                                        
                                    
                                        
                                            description
                                            Overall entropy of this PE file is high
                                        
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    process
                                    regsvr32.exe
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    
                                        
                                            host
                                            107.182.225.142
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            149.56.131.28
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            150.95.66.124
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            158.69.222.101
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            159.65.88.10
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            172.104.251.154
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            185.157.82.211
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            196.218.30.83
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            212.24.98.99
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            45.176.232.124
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            58.227.42.236
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            63.142.250.212
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            91.207.28.33
                                        
                                    
                                        
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    
                                        
                                            service_name
                                            cczMSRE.dll
                                        
                                    
                                        
                                    
                                        
                                            service_path
                                            C:\Windows\System32\regsvr32.exe "C:\Windows\system32\WEegrnivjptPwXT\cczMSRE.dll"
                                        
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
CreateServiceW

  
  
    
      
    
  


  
    
      service_start_name:
      
        
          
        
      
      
      

    
  
    
      start_type:
      
        
          2
        
      
      
      

    
  
    
      password:
      
        
          
        
      
      
      

    
  
    
      display_name:
      
        
          cczMSRE.dll
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Windows\System32\regsvr32.exe "C:\Windows\system32\WEegrnivjptPwXT\cczMSRE.dll"
        
      
      
      

    
  
    
      service_name:
      
        
          cczMSRE.dll
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WEegrnivjptPwXT\cczMSRE.dll"
        
      
      
      

    
  
    
      desired_access:
      
        
          2
        
      
      
      

    
  
    
      service_handle:
      
        
          0x00000000002b5d30
        
      
      
      

    
  
    
      error_control:
      
        
          0
        
      
      
      

    
  
    
      service_type:
      
        
          16
        
      
      
      

    
  
    
      service_manager_handle:
      
        
          0x00000000002a3680
        
      
      
      

    
  


    
        1
    

2841904

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    Elastic
                                    malicious (high confidence)
                                    
                                


                            

                        

                            

                                

                                    Cynet
                                    Malicious (score: 100)
                                    
                                


                            

                        

                            

                                

                                    FireEye
                                    Generic.mg.17405af200d73c16
                                    
                                


                            

                        

                            

                                

                                    Malwarebytes
                                    Malware.AI.3365036298
                                    
                                


                            

                        

                            

                                

                                    ESET-NOD32
                                    a variant of Win64/GenKryptik.FUMO
                                    
                                


                            

                        

                            

                                

                                    Kaspersky
                                    Trojan-Banker.Win64.Emotet.clos
                                    
                                


                            

                        

                            

                                

                                    Avast
                                    Win64:CrypterX-gen [Trj]
                                    
                                


                            

                        

                            

                                

                                    Sophos
                                    Generic ML PUA (PUA)
                                    
                                


                            

                        

                            

                                

                                    DrWeb
                                    Trojan.Obfuscated.based.1
                                    
                                


                            

                        

                            

                                

                                    Webroot
                                     
                                    
                                


                            

                        

                            

                                

                                    Avira
                                    TR/AD.Nekark.eaknt
                                    
                                


                            

                        

                            

                                

                                    Gridinsoft
                                    Trojan.Heur!.02012022
                                    
                                


                            

                        

                            

                                

                                    Microsoft
                                    Trojan:Win32/Wacatac.B!ml
                                    
                                


                            

                        

                            

                                

                                    ZoneAlarm
                                    VHO:Trojan-Banker.Win64.Emotet.clos
                                    
                                


                            

                        

                            

                                

                                    McAfee
                                    GenericRXAA-AA!17405AF200D7
                                    
                                


                            

                        

                            

                                

                                    MaxSecure
                                    Trojan.Malware.300983.susgen
                                    
                                


                            

                        

                            

                                

                                    Fortinet
                                    W64/Kryptik.NRF!tr
                                    
                                


                            

                        

                            

                                

                                    AVG
                                    Win64:CrypterX-gen [Trj]
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    file
                                    C:\Windows\System32\WEegrnivjptPwXT\cczMSRE.dll:Zone.Identifier
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Windows\System32\VIeWlZD\TUTDMPCL.dll:Zone.Identifier
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    dead_host
                                    192.168.56.101:49187
                                    
                                


                            

                        

                            

                                

                                    dead_host
                                    91.207.28.33:8080
                                    
                                


                            

                        

                            

                                

                                    dead_host
                                    172.104.251.154:8080
                                    
                                


                            

                        

                            

                                

                                    dead_host
                                    196.218.30.83:443
                                    
                                


                            

                        

                            

                                

                                    dead_host
                                    192.168.56.101:49192
                                    
                                


                            

                        

                            

                                

                                    dead_host
                                    185.157.82.211:8080
                                    
                                


                            

                        

                            

                                

                                    dead_host
                                    192.168.56.101:49197
                                    
                                


                            

                        

                            

                                

                                    dead_host
                                    192.168.56.101:49180
                                    
                                


                            

                        

                            

                                

                                    dead_host
                                    159.65.88.10:8080
                                    
                                


                            

                        

                            

                                

                                    dead_host
                                    192.168.56.101:49174
                                    
                                


                            

                        

                            

                                

                                    dead_host
                                    212.24.98.99:8080
                                    
                                


                            

                        

                            

                                

                                    dead_host
                                    192.168.56.101:49179
                                    
                                


                            

                        

                            

                                

                                    dead_host
                                    107.182.225.142:8080
                                    
                                


                            

                        

                            

                                

                                    dead_host
                                    63.142.250.212:443
                                    
                                


                            

                        

                            

                                

                                    dead_host
                                    45.176.232.124:443