Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 22, 2022, 10:53 p.m.	March 22, 2022, 11:13 p.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f4275755a8c4772d42f28aab97299ec9`
SHA256	`1ad583a247d0d9ac8171541724e48a64b00f9f10174a24fe93cc0a2d7d552c30`
CRC32	`42EC849A`
ssdeep	`24576:WgM+eWSQ8Ncmndl9UxN5Lv3HhsJd850R/mctJ:WgJ86mnT905L3hsJd8SRBt`
Yara	IsPE32 - (no description) Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

Office1Click.exe "C:\Users\test22\AppData\Local\Temp\Office1Click.exe"
2776
- cmd.exe "cmd" /c ping 127.0.0.1 -n 81 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "BnGHMnjkl" /t REG_SZ /d "C:\Users\test22\AppData\Roaming\Microsoft\DfCGHMn.exe"
  2916
  - PING.EXE ping 127.0.0.1 -n 81
    2992
  - reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "BnGHMnjkl" /t REG_SZ /d "C:\Users\test22\AppData\Roaming\Microsoft\DfCGHMn.exe"
    1604
- cmd.exe "cmd" /c ping 127.0.0.1 -n 86 > nul && copy "C:\Users\test22\AppData\Local\Temp\Office1Click.exe" "C:\Users\test22\AppData\Roaming\Microsoft\DfCGHMn.exe" && ping 127.0.0.1 -n 86 > nul && "C:\Users\test22\AppData\Roaming\Microsoft\DfCGHMn.exe"
  3012
  - PING.EXE ping 127.0.0.1 -n 86
    3068

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 22, 2022, 10:53 p.m.			0	0
IsDebuggerPresent March 22, 2022, 10:53 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey March 22, 2022, 10:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a5298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2022, 10:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a52d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 22, 2022, 10:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a52d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 22, 2022, 10:53 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (47 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00605000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0060b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00607000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ff22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00891000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:53 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:54 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 22, 2022, 10:54 p.m.	process_identifier: 2776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Foreign language identified in PE resource (50 out of 92 events)

name

RT_BITMAP

language

LANG_ENGLISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x0012a0b8

size

0x00000428

name

RT_BITMAP

language

LANG_ENGLISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x0012a0b8

size

0x00000428

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_MENU

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00156614

size

0x00000068

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

name

RT_DIALOG

language

LANG_ENGLISH

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

offset

0x00162a50

size

0x0000015c

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 22, 2022, 10:53 p.m.	thread_identifier: 2920 thread_handle: 0x00000300 process_identifier: 2916 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c ping 127.0.0.1 -n 81 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "BnGHMnjkl" /t REG_SZ /d "C:\Users\test22\AppData\Roaming\Microsoft\DfCGHMn.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000030c	1	1	0
CreateProcessInternalW March 22, 2022, 10:54 p.m.	thread_identifier: 3020 thread_handle: 0x00000284 process_identifier: 3012 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c ping 127.0.0.1 -n 86 > nul && copy "C:\Users\test22\AppData\Local\Temp\Office1Click.exe" "C:\Users\test22\AppData\Roaming\Microsoft\DfCGHMn.exe" && ping 127.0.0.1 -n 86 > nul && "C:\Users\test22\AppData\Roaming\Microsoft\DfCGHMn.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000264	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 22, 2022, 10:53 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	"cmd" /c ping 127.0.0.1 -n 81 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "BnGHMnjkl" /t REG_SZ /d "C:\Users\test22\AppData\Roaming\Microsoft\DfCGHMn.exe"
cmdline	ping 127.0.0.1 -n 86
cmdline	REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "BnGHMnjkl" /t REG_SZ /d "C:\Users\test22\AppData\Roaming\Microsoft\DfCGHMn.exe"
cmdline	ping 127.0.0.1 -n 81
cmdline	"cmd" /c ping 127.0.0.1 -n 86 > nul && copy "C:\Users\test22\AppData\Local\Temp\Office1Click.exe" "C:\Users\test22\AppData\Roaming\Microsoft\DfCGHMn.exe" && ping 127.0.0.1 -n 86 > nul && "C:\Users\test22\AppData\Roaming\Microsoft\DfCGHMn.exe"

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 22, 2022, 10:53 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (2 events)

description	Office1Click.exe tried to sleep 5456459 seconds, actually delayed analysis time by 5456459 seconds
description	PING.EXE tried to sleep 122 seconds, actually delayed analysis time by 122 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BnGHMnjkl

reg_value

C:\Users\test22\AppData\Roaming\Microsoft\DfCGHMn.exe

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\Office1Click.exe\:Zone.Identifier

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

DrWeb	Trojan.PackedNET.1250
MicroWorld-eScan	Gen:Variant.Barys.58343
FireEye	Generic.mg.f4275755a8c4772d
ALYac	Gen:Variant.Barys.58343
Cylance	Unsafe
K7AntiVirus	Unwanted-Program ( 005447311 )
K7GW	Unwanted-Program ( 005447311 )
Cybereason	malicious.5a8c47
Arcabit	Trojan.Barys.DE3E7
Cyren	W32/MSIL_Kryptik.GUP.gen!Eldorado
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AENR
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Gen:Variant.Barys.58343
Avast	FileRepMalware
Ad-Aware	Gen:Variant.Barys.58343
Emsisoft	Gen:Variant.Barys.58343 (B)
F-Secure	Trojan.TR/AD.Remcos.ncskd
McAfee-GW-Edition	Artemis
SentinelOne	Static AI - Suspicious PE
Sophos	Mal/Generic-S
Ikarus	Trojan.Inject
Avira	TR/AD.Remcos.ncskd
Gridinsoft	Trojan.Win32.YTAdBlock.dd!s1
Microsoft	Backdoor:Win32/Remcos.GA!MTB
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	MSIL.Trojan.BSE.1H0N16F
Cynet	Malicious (score: 100)
McAfee	Artemis!F4275755A8C4
Malwarebytes	RiskWare.ProcessHacker
APEX	Malicious
MAX	malware (ai score=86)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AENR!tr
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_100% (W)

Office1Click.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All