clean1.exe

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 24, 2021, 6:59 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1	0
WriteConsoleW June 24, 2021, 6:59 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\BAD console_handle: 0x000000000000000b	1	1	0
WriteConsoleW June 24, 2021, 6:59 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\BAD console_handle: 0x000000000000000b	1	1	0
WriteConsoleW June 24, 2021, 6:59 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\BAD console_handle: 0x000000000000000b	1	1	0
WriteConsoleW June 24, 2021, 6:59 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\ginotsa.dll console_handle: 0x000000000000000b	1	1	0
WriteConsoleW June 24, 2021, 6:59 p.m.	buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\tt.bat console_handle: 0x000000000000000b	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.code

The executable uses a known packer (1 event)

packer

PureBasic 4.x -> Neil Hodgson

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\62E9.tmp\62EA.tmp\62FB.bat

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00003400', u'virtual_address': u'0x00013000', u'entropy': 7.111835561466392, u'name': u'.rdata', u'virtual_size': u'0x000033a5'}

entropy

7.11183556147

description

A section with a high entropy has been found

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess June 24, 2021, 7:06 p.m.	status_code: 0xffffffff process_identifier: 1772 process_handle: 0x000000d8		0	0
NtTerminateProcess June 24, 2021, 7:06 p.m.	status_code: 0xffffffff process_identifier: 1772 process_handle: 0x000000d8		3221225738	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\sysnative\cmd" /c "C:\Users\test22\AppData\Local\Temp\62E9.tmp\62EA.tmp\62FB.bat C:\Users\test22\AppData\Local\Temp\clean1.exe"
cmdline	attrib +s +h +r clean1.exe
cmdline	attrib -s -h -r

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Deletes executed files from disk (3 events)

file	C:\Users\test22\AppData\Local\Temp\62E9.tmp
file	C:\Users\test22\AppData\Local\Temp\62E9.tmp\62EA.tmp
file	C:\Users\test22\AppData\Local\Temp\62E9.tmp\62EA.tmp\62FB.bat

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.e5b895e9aa0f2d53
CAT-QuickHeal	Trojan.GenericPMF.S16976269
Sangfor	Trojan.Win32.Save.a
Cyren	W32/Delf.MV.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Suspicious PE
Antiy-AVL	Trojan/Generic.ASMalwS.2B9E7F9
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZexaF.34758.quW@a0USgqh
Rising	Malware.Heuristic!ET#100% (RDMK:cmRtazoRWr46e7Sivxf7/JP6a5XK)
eGambit	Unsafe.AI_Score_63%
MaxSecure	Trojan.Malware.300983.susgen
Panda	Trj/Genetic.gen