Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 12, 2023, 9:12 a.m.	April 12, 2023, 9:14 a.m.

Size	864.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
MD5	`46fabd3f430861f683716bc8857de68d`
SHA256	`115e61f3a2dc4990c828bc0e83750d5c90f9826004b597864613b70bec9dbc74`
CRC32	`4FFCF9BD`
ssdeep	`24576:+QU4J4Vz9b9979Z+KCz+wQ2+WgnJr3sy/GytKAHu:BCVz5v7T+/6Jr3xOBAO`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

kXFpZBb.exe "C:\Users\test22\AppData\Local\Temp\kXFpZBb.exe"
2560
- ipconfig.exe ipconfig jdhfjkshdjkfhksjdf
  2612
- cmd.exe cmd /c cmd < Functional
  2672
  - cmd.exe cmd
    2756
    - powershell.exe powershell get-process avastui
      2820

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 9:12 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 12, 2023, 9:12 a.m.			0	0

Command line console output was observed (50 out of 342 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: Error: unrecognized or incomplete command line. console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: USAGE: ipconfig [/allcompartments] [/? \| /all \| /renew [adapter] \| /release [adapter] \| /renew6 [adapter] \| /release6 [adapter] \| /flushdns \| /displaydns \| /registerdns \| /showclassid adapter \| /setclassid adapter [classid] \| /showclassid6 adapter \| /setclassid6 adapter [classid] ] where adapter Connection name (wildcard characters * and ? allowed, see examples) Options: /? Display this help message /all Display full configuration information. /release Release the IPv4 address for the specified adapter. /release6 Release the IPv6 address for the specified adapter. /renew Renew the IPv4 address for the specified adapter. console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: /renew6 Renew the IPv6 address for the specified adapter. /flushdns Purges the DNS Resolver cache. /registerdns Refreshes all DHCP leases and re-registers DNS names /displaydns Display the contents of the DNS Resolver Cache. /showclassid Displays all the dhcp class IDs allowed for adapter. /setclassid Modifies the dhcp class id. /showclassid6 Displays all the IPv6 DHCP class IDs allowed for adapter. /setclassid6 Modifies the IPv6 DHCP class id. The default is to display only the IP address, subnet mask and default gateway for each adapter bound to TCP/IP. For Release and Renew, if no adapter name is specified, then the IP address leases for all adapters bound to TCP/IP will be released or renewed. For Setclassid and Setclassid6, if no ClassId is specified, then the ClassId is removed. Examples: > ipconfig ... Show information > ipconfig /all ... S console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: how detailed information > ipconfig /renew ... renew all adapters > ipconfig /renew EL* ... renew any connection that has its name starting with EL > ipconfig /release Con ... release all matching connections, eg. "Local Area Connection 1" or "Local Area Connection 2" > ipconfig /allcompartments ... Show information about all compartments > ipconfig /allcompartments /all ... Show detailed information about all compartments console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: Microsoft Windows [Version 6.1.7601] console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: Set zgozEBVYabVJvAgLYwgUtdyHKVabGKwbsrLoczwiUXbmyr=q console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: QJgYBZNepBIJobsHcna=PyfFquZiSFBHvUHXc console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: 'QJgYBZNepBIJobsHcna' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: VsfIZUKsZbF=tHLuJLzJYxqGlEqwhgQzkaCqru console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: 'VsfIZUKsZbF' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: cVIiBBeBTVfl=EMtBsJnxTItKHjELyLeCEYOdjnti console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: 'cVIiBBeBTVfl' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: uyXrUPmgqIx=MBjDvUgnPOlhHsFYNgTEssN console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: 'uyXrUPmgqIx' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: iHMbtbteIUSvBNQDPIhaV=cCpAALOPsxOJvPiRzaJiENn console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: 'iHMbtbteIUSvBNQDPIhaV' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: bqndOItcIbkph=WzgTDbISdqcYgUINyItqr console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: 'bqndOItcIbkph' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: jnqIdawYDXDPcdTLpqA=JnUQzpMUsDyhAbuPSUidQ console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: 'jnqIdawYDXDPcdTLpqA' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: Set bbxmnaTxnrAnPOEpguFuHqSdgYltSfTlOswv=p console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: KxwXteNeHskIFqKJKvFrlAoPBppd=bNiNzvlyKWPDjsSSpJTmtHE console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: 'KxwXteNeHskIFqKJKvFrlAoPBppd' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: aKljjcUTbapDtVkEmEqAQAXpfW=AdQFQpdxJkXTgwWy console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: 'aKljjcUTbapDtVkEmEqAQAXpfW' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: igOgbgZmHtqSNwXfrxCGNzxNACa=LLnUxrwqirewRyotfCWl console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: 'igOgbgZmHtqSNwXfrxCGNzxNACa' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: DlGzmuNUqN=WbOVFubJZWoqaAPHlfnYGoBiBSA console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: 'DlGzmuNUqN' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: WguudiyzdhmptjltclgSJnCECOgN=GxNFCNLPwKlcvsXQfUxYvMdEHkbL console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: 'WguudiyzdhmptjltclgSJnCECOgN' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: DBTsbKSMDCmmfxmrbhiEN=UUPATroYdfZjbod console_handle: 0x00000007	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: 'DBTsbKSMDCmmfxmrbhiEN' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 12, 2023, 9:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (47 events)

Time & API	Arguments	Status	Return
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f2e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073fa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073fa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073fa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073fa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073fa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073fa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073ee28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073eda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 9:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0073f568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 12, 2023, 9:12 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

Allocates read-write-execute memory (usually to unpack itself) (50 out of 134 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0232a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02322000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02332000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0235a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02333000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02334000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0236b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02367000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0232b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02352000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02365000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02335000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0235c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02336000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0236c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02353000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02354000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02355000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02356000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02357000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02358000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02359000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05230000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05231000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05232000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05233000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05234000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05235000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05236000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05237000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05238000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05239000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0523a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0523b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0523c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0523d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0523e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0523f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05240000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05241000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05242000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05243000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 9:12 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05244000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW April 12, 2023, 9:12 a.m.	number_of_free_clusters: 3252918 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW April 12, 2023, 9:12 a.m.	number_of_free_clusters: 3252918 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

powershell get-process avastui

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000cbe00', u'virtual_address': u'0x0000f000', u'entropy': 7.910647629858675, u'name': u'.rsrc', u'virtual_size': u'0x000cbd78'}

entropy

7.91064762986

description

A section with a high entropy has been found

entropy

0.944412275622

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 12, 2023, 9:12 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ipconfig jdhfjkshdjkfhksjdf

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

reg_value

rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Lionic	Trojan.Win32.Agent.Y!c
Cynet	Malicious (score: 99)
McAfee	Artemis!46FABD3F4308
Cylance	unsafe
VIPRE	Trojan.GenericKD.66342135
Sangfor	Backdoor.Win32.Packed.Vyiz
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Packed:Win32/Nekark.38cea3b0
K7GW	Riskware ( 0040eff71 )
Cyren	W32/ABRisk.IPKT-9275
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.CAB.FQ suspicious
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Backdoor.Win32.Agent.myuntc
BitDefender	Trojan.GenericKD.66342135
MicroWorld-eScan	Trojan.GenericKD.66342135
Tencent	Win32.Backdoor.Agent.Hjgl
Emsisoft	Trojan.GenericKD.66342135 (B)
F-Secure	Trojan.TR/AD.Nekark.gikgz
McAfee-GW-Edition	BehavesLike.Win32.Dropper.cc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.46fabd3f430861f6
Sophos	Mal/Generic-S
Paloalto	generic.ml
GData	Win32.Trojan.Agent.KVO7FK
Webroot	W32.Trojan.GenKD
Avira	TR/AD.Nekark.gikgz
MAX	malware (ai score=82)
Antiy-AVL	Trojan[Backdoor]/Win32.Agent
Gridinsoft	Backdoor.Win32.Quasar.bot
Arcabit	Trojan.Generic.D3F44CF7
ZoneAlarm	Backdoor.Win32.Agent.myuntc
Microsoft	Trojan:Win32/Woreflint.A!cl
Google	Detected
VBA32	TrojanDownloader.Lgoog
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/Agent.PHX
TrendMicro-HouseCall	TROJ_GEN.R002H07DA23
Yandex	Riskware.Agent!hb0WYHVEBaw
Ikarus	Win32.Outbreak
Fortinet	PossibleThreat.MU
AVG	Win32:Malware-gen
DeepInstinct	MALICIOUS

kXFpZBb.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All