popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

d.exe

Generic Malware UPX Malicious Library Malicious Packer ScreenShot KeyLogger Internet API persistence Socket Escalate priviledges SMTP DNS PWS Dynamic Dns SSL AntiDebug OS Processor Check MZP Format dll JPEG Format PE File DLL AntiVM DllRegisterServer PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 1, 2025, 8:33 a.m. May 1, 2025, 8:35 a.m.
Size 1.8MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 92beef1d585b98dbf7641f3aa93f51f0
SHA256 a3d66a48ab9f7c78985f36a9eccbacba1f68a34fb1e32201e3d1f6756cc5d938
CRC32 E00CCE83
ssdeep 49152:BnsHyjtk2MYC5GDmmP7OlSAxmu/Rjhvu70Y3/hjmK:Bnsmtk2aWOlSAl/o0YkK
Yara
  • PE_Header_Zero - PE File Signature
  • mzp_file_format - MZP(Delphi) file format
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
www.dropbox.com
CNAME www-env.dropbox-dns.cOm
A 162.125.84.18
162.125.84.18
drive.usercontent.google.com
A 142.250.198.193
142.250.206.193
docs.google.com
A 142.250.198.174
172.217.25.174
xred.mooo.com
freedns.afraid.org
A 69.42.215.252
69.42.215.252
IP Address Status Action
142.250.198.174 Active Moloch
142.250.198.193 Active Moloch
162.125.84.18 Active Moloch
164.124.101.2 Active Moloch
38.147.172.248 Active Moloch
69.42.215.252 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49179 -> 142.250.198.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49181 -> 162.125.84.18:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2015633 ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com Potentially Bad Traffic
TCP 192.168.56.101:49180 -> 162.125.84.18:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49178 -> 142.250.198.174:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49179
142.250.198.193:443 		C=US, O=Google Trust Services, CN=WE2 CN=*.usercontent.google.com e2:75:33:38:ea:c5:6b:07:01:99:0c:e5:64:b0:63:79:cc:b5:d4:83
TLSv1
192.168.56.101:49178
142.250.198.174:443 		C=US, O=Google Trust Services, CN=WE2 CN=*.google.com 67:52:2f:ab:93:de:39:da:94:50:11:ae:8b:37:cb:88:8f:dc:56:7d

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
synaptics+0x7bda4 @ 0x47bda4
synaptics+0x7bcf2 @ 0x47bcf2
synaptics+0x7bcb3 @ 0x47bcb3
synaptics+0x845fd @ 0x4845fd
synaptics+0x959fc @ 0x4959fc
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 60161500
registers.edi: 60161688
registers.eax: 60161500
registers.ebp: 60161580
registers.edx: 0
registers.ebx: 4703484
registers.esi: 11001
registers.ecx: 7
1 0 0

__exception__

 stacktrace: 
synaptics+0x7bda4 @ 0x47bda4
synaptics+0x7bcf2 @ 0x47bcf2
synaptics+0x7bcb3 @ 0x47bcb3
synaptics+0x845fd @ 0x4845fd
synaptics+0x95a83 @ 0x495a83
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 60159312
registers.edi: 60159500
registers.eax: 60159312
registers.ebp: 60159392
registers.edx: 0
registers.ebx: 4703484
registers.esi: 11004
registers.ecx: 7
1 0 0

__exception__

 stacktrace: 
synaptics+0x7bda4 @ 0x47bda4
synaptics+0x7bcf2 @ 0x47bcf2
synaptics+0x7bcb3 @ 0x47bcb3
synaptics+0x845fd @ 0x4845fd
synaptics+0x95b0a @ 0x495b0a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 60157124
registers.edi: 60157312
registers.eax: 60157124
registers.ebp: 60157204
registers.edx: 0
registers.ebx: 4703484
registers.esi: 11001
registers.ecx: 7
1 0 0
domain xred.mooo.com
request GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
request GET https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
request GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
request GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2572
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2572
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2700
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2700
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2796
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2796
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2856
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00850000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0
description ._cache_csrss2.exe tried to sleep 173 seconds, actually delayed analysis time by 173 seconds
name RT_ICON language LANG_TURKISH filetype dBase IV DBT of @.DBF, block length 8192, next free block index 40 sublanguage SUBLANG_DEFAULT offset 0x000b39f8 size 0x000010a8
name RT_ICON language LANG_TURKISH filetype dBase IV DBT of @.DBF, block length 8192, next free block index 40 sublanguage SUBLANG_DEFAULT offset 0x000b39f8 size 0x000010a8
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x001ce1f8 size 0x000047d3
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x001ce1f8 size 0x000047d3
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x001ce1f8 size 0x000047d3
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x001ce1f8 size 0x000047d3
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x001ce1f8 size 0x000047d3
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x001ce1f8 size 0x000047d3
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x001ce1f8 size 0x000047d3
name RT_RCDATA language LANG_TURKISH filetype Microsoft Excel 2007+ sublanguage SUBLANG_DEFAULT offset 0x001ce1f8 size 0x000047d3
name RT_GROUP_ICON language LANG_TURKISH filetype data sublanguage SUBLANG_DEFAULT offset 0x001d2a58 size 0x00000014
name RT_VERSION language LANG_TURKISH filetype data sublanguage SUBLANG_DEFAULT offset 0x001d2a6c size 0x00000304
domain docs.google.com
file C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe
file C:\Users\test22\AppData\Local\Temp\._cache_ctfmon.exe
file C:\ProgramData\Synaptics\Synaptics.dll
file C:\Users\test22\AppData\Local\Temp\csrss2.exe
file C:\Users\test22\AppData\Local\Temp\csrss1.exe
file C:\Users\test22\AppData\Local\Temp\._cache_d.exe
Time & API Arguments Status Return Repeated

CreateServiceA

 service_start_name:
start_type: 2
password:
display_name: Mnopqr Tuvwxyab Defghijk Mnop
filepath: C:\Windows\kesgaa.exe
service_name: Mnopqr
filepath_r: C:\Windows\kesgaa.exe
desired_access: 983551
service_handle: 0x002c5c60
error_control: 0
service_type: 272
service_manager_handle: 0x002c5d28
1 2907232 0
domain www.dropbox.com
file C:\Users\test22\AppData\Local\Temp\._cache_d.exe
file C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe
file C:\Users\test22\AppData\Local\Temp\6063296\TemporaryFile\TemporaryFile
file C:\Users\test22\AppData\Local\Temp\._cache_d.exe
file C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe
file C:\Users\test22\AppData\Local\Temp\csrss2.exe
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000fc
process_name: mobsync.exe
process_identifier: 2276
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: pw.exe
process_identifier: 2320
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: taskhost.exe
process_identifier: 2412
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: ._cache_d.exe
process_identifier: 2700
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: csrss1.exe
process_identifier: 2756
1 1 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: Synaptics.exe
process_identifier: 2796
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: ._cache_csrss2.exe
process_identifier: 2984
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: ctfmon.exe
process_identifier: 3068
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: ._cache_ctfmon.exe
process_identifier: 2124
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: is32bit.exe
process_identifier: 2112
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: inject-x86.exe
process_identifier: 1484
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: kesgaa.exe
process_identifier: 152
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: cmd.exe
process_identifier: 148
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: conhost.exe
process_identifier: 2176
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: kesgaa.exe
process_identifier: 2216
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: cmd.exe
process_identifier: 2228
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: conhost.exe
process_identifier: 2260
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: cmd.exe
process_identifier: 2316
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: conhost.exe
process_identifier: 2372
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: cmd.exe
process_identifier: 2476
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: conhost.exe
process_identifier: 2464
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: cmd.exe
process_identifier: 2712
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: conhost.exe
process_identifier: 2728
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: cmd.exe
process_identifier: 2636
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: conhost.exe
process_identifier: 2352
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: cmd.exe
process_identifier: 2788
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: conhost.exe
process_identifier: 2812
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: taskhost.exe
process_identifier: 2748
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: svchost.exe
process_identifier: 2692
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: mscorsvw.exe
process_identifier: 3012
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: cmd.exe
process_identifier: 2956
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: mscorsvw.exe
process_identifier: 3064
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: cmd.exe
process_identifier: 828
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: conhost.exe
process_identifier: 1596
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: cmd.exe
process_identifier: 1512
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: conhost.exe
process_identifier: 1536
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: cmd.exe
process_identifier: 676
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: conhost.exe
process_identifier: 2100
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: cmd.exe
process_identifier: 2120
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: conhost.exe
process_identifier: 1728
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: cmd.exe
process_identifier: 1404
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: conhost.exe
process_identifier: 1808
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: cmd.exe
process_identifier: 1812
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: conhost.exe
process_identifier: 1168
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: WmiPrvSE.exe
process_identifier: 2196
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: cmd.exe
process_identifier: 1108
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: conhost.exe
process_identifier: 1996
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 28672
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00122e00', u'virtual_address': u'0x000b0000', u'entropy': 7.951280133379602, u'name': u'.rsrc', u'virtual_size': u'0x00122d70'} entropy 7.95128013338 description A section with a high entropy has been found
entropy 0.630794253185 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000fc
process_name: Synŷ
process_identifier: 2796
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: 㭘oﶴɍ㱴直㲣直畍
process_identifier: 3068
0 0
url https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
url http://freedns.afraid.org/api/?action=getdyndns
url https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
url http://xred.site50.net/syn/SSLLibrary.dll
url https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ
url https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk
url http://xred.site50.net/syn/SUpdate.ini
url https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
url https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk
url http://xred.site50.net/syn/Synaptics.rar
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description Communications smtp rule network_smtp_raw
description Communications over SSL rule Network_SSL
description Communications use DNS rule Network_DNS
description Communications DynDns network rule Network_DynDns
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Match Windows Inet API call rule Str_Win32_Internet_API
description Install itself for autorun at Windows startup rule Persistence
description Run a KeyLogger rule KeyLogger
host 38.147.172.248
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver reg_value C:\ProgramData\Synaptics\Synaptics.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\systeamst reg_value C:\Users\test22\AppData\Local\Temp\csrss1.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver reg_value C:\ProgramData\Synaptics\Synaptics.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\name reg_value C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe
service_name Mnopqr service_path C:\Windows\kesgaa.exe
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ œ Ö€« ° @Ð @ B* 0ÍP €©@ !@ CODEì› œ  `DATAT.° 0  @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc€©P ªþ @P.rsrc0Í Î¨ @P ¶ @P
base_address: 0x00400000
process_identifier: 3068
process_handle: 0x0000017c
1 1 0

WriteProcessMemory

 buffer: 0J0JÄ°I@JSynaptics Pointing Device Driver
base_address: 0x004a4000
process_identifier: 3068
process_handle: 0x0000017c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 3068
process_handle: 0x0000017c
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ œ Ö€« ° @Ð @ B* 0ÍP €©@ !@ CODEì› œ  `DATAT.° 0  @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc€©P ªþ @P.rsrc0Í Î¨ @P ¶ @P
base_address: 0x00400000
process_identifier: 3068
process_handle: 0x0000017c
1 1 0
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x03963540
hook_identifier: 2 (WH_KEYBOARD)
module_address: 0x03960000
1 197099 0
process Synaptics.exe useragent MyApp
process Synaptics.exe useragent Synaptics.exe
Process injection Process 2984 called NtSetContextThread to modify thread in remote process 3068
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4828032
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000174
process_identifier: 3068
1 0 0
Process injection Process 2984 resumed a thread in remote process 3068
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000174
suspend_count: 1
process_identifier: 3068
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000160
suspend_count: 1
process_identifier: 2572
1 0 0

CreateProcessInternalW

 thread_identifier: 2704
thread_handle: 0x00000450
process_identifier: 2700
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\._cache_d.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\._cache_d.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\._cache_d.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000448
1 1 0

CreateProcessInternalW

 thread_identifier: 2800
thread_handle: 0x00000458
process_identifier: 2796
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\ProgramData\Synaptics\Synaptics.exe
track: 1
command_line: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
filepath_r: C:\ProgramData\Synaptics\Synaptics.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000448
1 1 0

CreateProcessInternalW

 thread_identifier: 2760
thread_handle: 0x00000100
process_identifier: 2756
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\csrss1.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000104
1 1 0

CreateProcessInternalW

 thread_identifier: 2860
thread_handle: 0x00000104
process_identifier: 2856
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\csrss2.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000100
1 1 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: C:\Users\test22\AppData\Local\Temp\csrss3.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000000
0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: C:\Users\test22\AppData\Local\Temp\csrss4.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000000
0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: C:\Users\test22\AppData\Local\Temp\csrss5.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000000
0 0

NtResumeThread

 thread_handle: 0x00000160
suspend_count: 1
process_identifier: 2796
1 0 0

NtResumeThread

 thread_handle: 0x0000031c
suspend_count: 1
process_identifier: 2796
1 0 0

NtResumeThread

 thread_handle: 0x00000160
suspend_count: 1
process_identifier: 2856
1 0 0

CreateProcessInternalW

 thread_identifier: 2988
thread_handle: 0x00000448
process_identifier: 2984
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\._cache_csrss2.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000440
1 1 0

CreateProcessInternalW

 thread_identifier: 2052
thread_handle: 0x00000174
process_identifier: 3068
current_directory:
filepath:
track: 1
command_line: ctfmon.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000017c
1 1 0

NtGetContextThread

 thread_handle: 0x00000174
1 0 0

NtUnmapViewOfSection

 base_address: 0x024dfedc
region_size: 1954877440
process_identifier: 3068
process_handle: 0x0000017c
3221225497 0

NtAllocateVirtualMemory

 process_identifier: 3068
region_size: 905216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000017c
1 0 0

WriteProcessMemory

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ œ Ö€« ° @Ð @ B* 0ÍP €©@ !@ CODEì› œ  `DATAT.° 0  @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc€©P ªþ @P.rsrc0Í Î¨ @P ¶ @P
base_address: 0x00400000
process_identifier: 3068
process_handle: 0x0000017c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 3068
process_handle: 0x0000017c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0049b000
process_identifier: 3068
process_handle: 0x0000017c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0049e000
process_identifier: 3068
process_handle: 0x0000017c
0 0

WriteProcessMemory

 buffer:
base_address: 0x004a0000
process_identifier: 3068
process_handle: 0x0000017c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x004a3000
process_identifier: 3068
process_handle: 0x0000017c
0 0

WriteProcessMemory

 buffer: 0J0JÄ°I@JSynaptics Pointing Device Driver
base_address: 0x004a4000
process_identifier: 3068
process_handle: 0x0000017c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x004a5000
process_identifier: 3068
process_handle: 0x0000017c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x004b0000
process_identifier: 3068
process_handle: 0x0000017c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 3068
process_handle: 0x0000017c
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4828032
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000174
process_identifier: 3068
1 0 0

NtResumeThread

 thread_handle: 0x00000174
suspend_count: 1
process_identifier: 3068
1 0 0

NtResumeThread

 thread_handle: 0x00000160
suspend_count: 1
process_identifier: 3068
1 0 0

CreateProcessInternalW

 thread_identifier: 2104
thread_handle: 0x00000434
process_identifier: 2124
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\._cache_ctfmon.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\._cache_ctfmon.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\._cache_ctfmon.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000042c
1 1 0

NtResumeThread

 thread_handle: 0x00000130
suspend_count: 1
process_identifier: 2124
1 0 0
Bkav W32.AIDetectMalware
Cynet Malicious (score: 100)
CAT-QuickHeal Sus.Nocivo.E0011
Skyhigh BehavesLike.Win32.Synaptics.tc
ALYac Win32.Comet.A
Cylance Unsafe
VIPRE Win32.Comet.A
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (D)
BitDefender Win32.Comet.A
K7GW Trojan ( 000112511 )
K7AntiVirus Trojan ( 000112511 )
Arcabit HEUR.VBA.Trojan.d
Symantec W32.Zorex
Elastic malicious (high confidence)
ESET-NOD32 Win32/Delf.NBX
APEX Malicious
Avast Win32:Evo-gen [Trj]
ClamAV Win.Trojan.Emotet-9850453-0
Kaspersky Backdoor.Win32.DarkKomet.hqxy
Alibaba Backdoor:Win32/DarkKomet.353
NANO-Antivirus Trojan.Win32.DarkKomet.fazbwq
MicroWorld-eScan Win32.Comet.A
Rising Virus.Synaptics!1.E51C (CLASSIC)
Emsisoft Win32.Comet.A (B)
F-Secure Heuristic.HEUR/AGEN.1359402
DrWeb Win32.HLLW.Siggen.10555
Zillya Trojan.Delf.Win32.76144
TrendMicro Virus.Win32.NAPWHICH.B
McAfeeD ti!A3D66A48AB9F
Trapmine malicious.high.ml.score
CTX exe.unknown.comet
Sophos ElReceptor Keyboard Hook (PUA)
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.92beef1d585b98db
Jiangmin Win32/Synaptics.Gen
Webroot W32.Backdoor.Gen
Google Detected
Avira TR/Dldr.Agent.SH
Antiy-AVL Virus/Win32.DarkKomet.a
Kingsoft malware.kb.a.1000
Gridinsoft Trojan.Win32.Downloader.mz!n
Xcitium Virus.Win32.Agent.DE@74b38h
Microsoft Worm:Win32/AutoRun!atmn
ViRobot Win32.Zorex.A
GData Win32.Backdoor.Agent.AXS
Varist W32/Trojan.YMOP-5085
AhnLab-V3 Win32/Zorex.X1799
Acronis suspicious
McAfee W32/Synaptics