Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 1, 2025, 8:28 a.m.	May 1, 2025, 8:31 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`36a4c93d5ceeade9dc686958f8306272`
SHA256	`e041b61f2ab7443d48b887813bb2a546b9dae9b1c583840873f12a2133625678`
CRC32	`948A18BC`
ssdeep	`24576:jnsJ39LyjbJkQFMhmC+6GD9yjgW4B6MVoaaDNFK9ef+TJz9E:jnsHyjtk2MYC5GDs8W4B6MQDNA9eGTJq`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer ASPack_Zero - ASPack packed file mzp_file_format - MZP(Delphi) file format Antivirus - Contains references to security software anti_vm_detect - Possibly employs anti-virtualization techniques Network_Downloader - File Downloader Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

cmd.exe "C:\Users\test22\AppData\Local\Temp\cmd.exe"
2000
- ._cache_cmd.exe "C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe"
  2208
  - oasUOG.exe C:\Users\test22\AppData\Local\Temp\oasUOG.exe
    2252
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\47022eb1.bat" "
      3004
      - ._cache_cmd.exe "C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe" /c C:\Users\test22\AppData\Local\Temp\47022eb1.bat
        2240
        
        oasUOG.exe C:\Users\test22\AppData\Local\Temp\oasUOG.exe
        2372
        
        cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\08156d1b.bat" "
        948
        
        ._cache_cmd.exe "C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe" /c C:\Users\test22\AppData\Local\Temp\08156d1b.bat
        2068
        
        oasUOG.exe C:\Users\test22\AppData\Local\Temp\oasUOG.exe
        1968
        
        cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\63752e25.bat" "
        2812
- Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2360

Name	Response	Post-Analysis Lookup
ddos.dnsnb8.net	A 3.229.117.57	3.229.117.57
www.dropbox.com	CNAME www-env.dropbox-dns.com A 162.125.84.18	162.125.84.18
2000.ink
docs.google.com	A 142.250.198.46	142.250.206.206
freedns.afraid.org	A 69.42.215.252	69.42.215.252
drive.usercontent.google.com	A 142.250.71.129	142.250.207.97
xred.mooo.com

IP Address	Status	Action
142.250.198.46	Active	Moloch
142.250.71.129	Active	Moloch
162.125.84.18	Active	Moloch
164.124.101.2	Active	Moloch
3.229.117.57	Active	Moloch
45.152.67.113	Active	Moloch
69.42.215.252	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2015633	ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 142.250.71.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 162.125.84.18:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 162.125.84.18:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49191 -> 45.152.67.113:6100	2048128	ET MALWARE Win32/Gh0stRat C2 Checkin	A Network Trojan was detected
TCP 192.168.56.103:49191 -> 45.152.67.113:6100	2048128	ET MALWARE Win32/Gh0stRat C2 Checkin	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 45.152.67.113:6100	2048128	ET MALWARE Win32/Gh0stRat C2 Checkin	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 45.152.67.113:6100	2048128	ET MALWARE Win32/Gh0stRat C2 Checkin	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 45.152.67.113:6100	2048128	ET MALWARE Win32/Gh0stRat C2 Checkin	A Network Trojan was detected
TCP 192.168.56.103:49176 -> 142.250.198.46:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49177 142.250.71.129:443	C=US, O=Google Trust Services, CN=WE2	CN=*.usercontent.google.com	e2:75:33:38:ea:c5:6b:07:01:99:0c:e5:64:b0:63:79:cc:b5:d4:83
TLSv1 192.168.56.103:49176 142.250.198.46:443	C=US, O=Google Trust Services, CN=WE2	CN=*.google.com	67:52:2f:ab:93:de:39:da:94:50:11:ae:8b:37:cb:88:8f:dc:56:7d

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 1, 2025, 8:29 a.m.	computer_name: TEST22-PC	1	1	0

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 1, 2025, 8:29 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ May 1, 2025, 8:29 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x959fc @ 0x4959fc BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 53870044 registers.edi: 53870232 registers.eax: 53870044 registers.ebp: 53870124 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11001 registers.ecx: 7	1
__exception__ May 1, 2025, 8:29 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x95a83 @ 0x495a83 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 53867856 registers.edi: 53868044 registers.eax: 53867856 registers.ebp: 53867936 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11004 registers.ecx: 7	1
__exception__ May 1, 2025, 8:29 a.m.	stacktrace: synaptics+0x7bda4 @ 0x47bda4 synaptics+0x7bcf2 @ 0x47bcf2 synaptics+0x7bcb3 @ 0x47bcb3 synaptics+0x845fd @ 0x4845fd synaptics+0x95b0a @ 0x495b0a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 53865668 registers.edi: 53865856 registers.eax: 53865668 registers.ebp: 53865748 registers.edx: 0 registers.ebx: 4703484 registers.esi: 11001 registers.ecx: 7	1

Connects to a Dynamic DNS Domain (1 event)

domain

xred.mooo.com

Performs some HTTP requests (5 events)

request	GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
request	GET https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request	GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request	GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
request	GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 1, 2025, 8:28 a.m.	process_identifier: 2000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2025, 8:29 a.m.	process_identifier: 2360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2025, 8:30 a.m.	process_identifier: 3004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2025, 8:30 a.m.	process_identifier: 948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2025, 8:31 a.m.	process_identifier: 2812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

._cache_cmd.exe tried to sleep 196 seconds, actually delayed analysis time by 196 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW May 1, 2025, 8:29 a.m.	total_number_of_free_bytes: 9931636736 free_bytes_available: 9931636736 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW May 1, 2025, 8:30 a.m.	total_number_of_free_bytes: 9922994176 free_bytes_available: 9922994176 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (12 events)

name

RT_ICON

language

LANG_TURKISH

filetype

dBase IV DBT of @.DBF, block length 8192, next free block index 40

sublanguage

SUBLANG_DEFAULT

offset

0x000b39f8

size

0x000010a8

name

RT_ICON

language

LANG_TURKISH

filetype

dBase IV DBT of @.DBF, block length 8192, next free block index 40

sublanguage

SUBLANG_DEFAULT

offset

0x000b39f8

size

0x000010a8

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x001333b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x001333b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x001333b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x001333b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x001333b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x001333b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x001333b8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x001333b8

size

0x000047d3

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00137c18

size

0x00000014

name

RT_VERSION

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00137c2c

size

0x00000304

Downloads a file or document from Google Drive (1 event)

domain

docs.google.com

Creates executable files on the filesystem (37 events)

file	C:\Users\test22\AppData\Local\Temp\63752e25.bat
file	C:\tmpvmqcut\bin\execsc.exe
file	C:\Program Files (x86)\7-Zip\7zFM.exe
file	C:\Python27\Lib\distutils\command\wininst-7.1.exe
file	C:\tmpvmqcut\bin\inject-x86.exe
file	C:\Python27\Lib\site-packages\setuptools\cli-32.exe
file	C:\Program Files (x86)\Hnc\PDF80\x86\HNCE2PPRCONV80.exe
file	C:\Users\test22\AppData\Local\Temp\08156d1b.bat
file	C:\tmp6o6lvv\bin\execsc.exe
file	C:\Users\test22\AppData\Local\Temp\357956B6.exe
file	C:\Program Files\7-Zip\Uninstall.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe
file	C:\Users\test22\AppData\Local\Temp\65DD3BC8.exe
file	C:\Program Files (x86)\7-Zip\7z.exe
file	C:\Users\test22\AppData\Local\Temp\1DB33B08.exe
file	C:\Python27\Lib\distutils\command\wininst-6.0.exe
file	C:\util\pafish.exe
file	C:\Python27\Lib\distutils\command\wininst-9.0.exe
file	C:\Python27\Lib\site-packages\setuptools\cli.exe
file	C:\tmp6o6lvv\bin\inject-x86.exe
file	C:\Users\test22\AppData\Local\Temp\268E7091.exe
file	C:\Program Files (x86)\7-Zip\7zG.exe
file	C:\Program Files (x86)\Hnc\PDF80\x64\HNCE2PPRCONV80.exe
file	C:\Python27\Lib\site-packages\setuptools\gui-32.exe
file	C:\Users\test22\AppData\Local\Temp\oasUOG.exe
file	C:\ProgramData\Synaptics\Synaptics.dll
file	C:\Users\test22\AppData\Local\Temp\35CE62A5.exe
file	C:\Users\test22\AppData\Local\Temp\4617764B.exe
file	C:\tmpvmqcut\bin\is32bit.exe
file	C:\tmp6o6lvv\bin\is32bit.exe
file	C:\Users\test22\AppData\Local\Temp\47022eb1.bat
file	C:\Python27\Lib\distutils\command\wininst-8.0.exe
file	C:\Users\test22\AppData\Local\Temp\58DF100A.exe
file	C:\Program Files (x86)\7-Zip\Uninstall.exe
file	C:\Python27\Lib\site-packages\setuptools\gui.exe
file	C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe

Creates a suspicious process (6 events)

cmdline	"C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe" /c C:\Users\test22\AppData\Local\Temp\08156d1b.bat
cmdline	"C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe" /c C:\Users\test22\AppData\Local\Temp\47022eb1.bat
cmdline	C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe /c C:\Users\test22\AppData\Local\Temp\08156d1b.bat
cmdline	"C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe"
cmdline	C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe
cmdline	C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe /c C:\Users\test22\AppData\Local\Temp\47022eb1.bat

Looks up the Dropbox cloud service (1 event)

domain

www.dropbox.com

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe
file	C:\Users\test22\AppData\Local\Temp\47022eb1.bat
file	C:\Users\test22\AppData\Local\Temp\08156d1b.bat
file	C:\Users\test22\AppData\Local\Temp\63752e25.bat

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\oasUOG.exe
file	C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 1, 2025, 8:30 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\47022eb1.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\47022eb1.bat	1	1
ShellExecuteExW May 1, 2025, 8:30 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\08156d1b.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\08156d1b.bat	1	1
ShellExecuteExW May 1, 2025, 8:31 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\63752e25.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\63752e25.bat	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (45 events)

Time & API	Arguments	Status	Return
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: smss.exe process_identifier: 232	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: csrss.exe process_identifier: 308	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: wininit.exe process_identifier: 344	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: csrss.exe process_identifier: 356	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: services.exe process_identifier: 436	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: lsass.exe process_identifier: 452	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: svchost.exe process_identifier: 560	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: svchost.exe process_identifier: 636	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: svchost.exe process_identifier: 716	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: svchost.exe process_identifier: 780	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: svchost.exe process_identifier: 984	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: svchost.exe process_identifier: 340	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: pw.exe process_identifier: 1888	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: mobsync.exe process_identifier: 1676	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: pw.exe process_identifier: 760	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: taskhost.exe process_identifier: 1792	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 1532	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: SearchProtocolHost.exe process_identifier: 1516	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: conhost.exe process_identifier: 300	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: SearchFilterHost.exe process_identifier: 1704	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: pw.exe process_identifier: 2064	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: ._cache_cmd.exe process_identifier: 2208	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: oasUOG.exe process_identifier: 2252	1	1
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360	1	1
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: svchost.exe process_identifier: 2576	1	1
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: mscorsvw.exe process_identifier: 2612	1	1
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: mscorsvw.exe process_identifier: 2644	1	1
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: sppsvc.exe process_identifier: 2696	1	1
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 2940	1	1
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: conhost.exe process_identifier: 2948	1	1
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: pw.exe process_identifier: 2972	1	1
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: XGUMfU.exe process_identifier: 3028	1	1
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: inOpLe.exe process_identifier: 1944	1	1
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: ._cache_cmd.exe process_identifier: 2240	1	1
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00088000', u'virtual_address': u'0x000b0000', u'entropy': 7.049884694781614, u'name': u'.rsrc', u'virtual_size': u'0x00087f30'}

entropy

7.04988469478

description

A section with a high entropy has been found

entropy

0.444081632653

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 72 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000320 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:29 a.m.	snapshot_handle: 0x00000340 process_name: Synaptics.exe process_identifier: 2360		0	0
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948		0	0
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948		0	0
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948		0	0
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948		0	0
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948		0	0
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948		0	0
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948		0	0
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948		0	0
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948		0	0
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948		0	0
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948		0	0
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948		0	0
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948		0	0
Process32NextW May 1, 2025, 8:30 a.m.	snapshot_handle: 0x00000320 process_name: cmd.exe process_identifier: 948		0	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe" /c C:\Users\test22\AppData\Local\Temp\08156d1b.bat
cmdline	"C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe" /c C:\Users\test22\AppData\Local\Temp\47022eb1.bat
cmdline	C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe /c C:\Users\test22\AppData\Local\Temp\08156d1b.bat
cmdline	C:\Users\test22\AppData\Local\Temp\._cache_cmd.exe /c C:\Users\test22\AppData\Local\Temp\47022eb1.bat

Communicates with host for which no DNS query was performed (1 event)

host

45.152.67.113

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver	reg_value	C:\ProgramData\Synaptics\Synaptics.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Server.exe	reg_value	C:\ProgramData\Microsoft\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Server.exe	reg_value	C:\ProgramData\Microsoft\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Server.exe	reg_value	C:\ProgramData\Microsoft\Server.exe

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA May 1, 2025, 8:29 a.m.	thread_identifier: 0 callback_function: 0x03363540 hook_identifier: 2 (WH_KEYBOARD) module_address: 0x03360000	1	197107	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	Synaptics.exe				useragent	MyApp
process	Synaptics.exe				useragent	Synaptics.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.56.103:49171

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Sus.Nocivo.E0011
Skyhigh	BehavesLike.Win32.Synaptics.th
ALYac	Dropped:Win32.VJadtre.3
Cylance	Unsafe
VIPRE	Dropped:Win32.VJadtre.3
Sangfor	Trojan.Win32.SilverFox.swkah
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Dropped:Win32.VJadtre.3
K7GW	Trojan ( 000112511 )
K7AntiVirus	Trojan ( 000112511 )
Arcabit	HEUR.VBA.Trojan.d
Baidu	Win32.Virus.Otwycal.d
Symantec	W32.Zorex
Elastic	Windows.Trojan.DustyWarehouse
ESET-NOD32	Win32/Delf.NBX
APEX	Malicious
Avast	Other:Malware-gen [Trj]
ClamAV	Win.Trojan.Emotet-9850453-0
Kaspersky	Backdoor.Win32.DarkKomet.hqxy
NANO-Antivirus	Trojan.Win32.DarkKomet.fazbwq
MicroWorld-eScan	Dropped:Win32.VJadtre.3
Rising	Virus.Synaptics!1.E51C (CLASSIC)
Emsisoft	Dropped:Win32.VJadtre.3 (B)
F-Secure	Malware.W2000M/Dldr.Agent.17651006
DrWeb	Win32.HLLW.Siggen.10555
Zillya	Trojan.Delf.Win32.76144
TrendMicro	Virus.Win32.NAPWHICH.B
McAfeeD	ti!E041B61F2AB7
CTX	exe.unknown.dropped
Sophos	W32/Nimnul-A
SentinelOne	Static AI - Malicious PE
Jiangmin	Win32/Synaptics.Gen
Webroot	W32.Malware.gen
Avira	W32/Jadtre.D
Antiy-AVL	Virus/Win32.DarkKomet.a
Gridinsoft	Trojan.Win32.Downloader.mz!n
Xcitium	Virus.Win32.Agent.DE@74b38h
Microsoft	Worm:Win32/AutoRun!atmn
ViRobot	Win32.Zorex.A
ZoneAlarm	W32/Nimnul-A
GData	Win32.Backdoor.Agent.AXS
Varist	W32/Trojan.YMOP-5085
AhnLab-V3	Win32/Zorex.X1799
Acronis	suspicious
McAfee	W32/Synaptics
TACHYON	Backdoor/W32.DP-DarkKomet.1255424.B
DeepInstinct	MALICIOUS
VBA32	TScope.Trojan.Delf

cmd.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All