popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cleanse.exe

Generic Malware UPX Antivirus Malicious Library Anti_VM Word 2007 file format(docx) MSOffice File PE File DLL OS Processor Check JPEG Format PE32 ZIP Format .NET EXE BMP Format CHM Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 11, 2023, 6:33 p.m. Oct. 11, 2023, 6:37 p.m.
Size 10.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 0e85f5058fa30907be18273932a6f917
SHA256 fe086a9260e0a437b040caa7e074fa610a428af9624cd5f68d02571ffc2009e4
CRC32 50DDA9A9
ssdeep 192:KkS+M/nAPyass198Wxo0h/eBozq5vPVGN8:KH+QAPya119zdFwoe5vPk
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Antivirus - Contains references to security software
  • Is_DotNET_EXE - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000630000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000680000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3c6b000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b80000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000ce0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35d4000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93e5a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93e6c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f0c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f36000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93f80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 792
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93e5b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUPUI.DLL
file C:\Users\test22\AppData\Local\Temp\cleanse.exe
file C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUP.DLL
file C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUP.DLL
file C:\Users\test22\AppData\Local\Temp\Setup000023ac\ose00000.exe
file C:\Users\test22\AppData\Local\Temp\Setup00000994\ose00000.exe
file C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUPUI.DLL
file C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
FireEye Generic.mg.0e85f5058fa30907
Cylance unsafe
CrowdStrike win/malicious_confidence_100% (W)
BitDefenderTheta Gen:NN.ZemsilCO.36738.am0@amK9PBh
Elastic malicious (moderate confidence)
APEX Malicious
Cynet Malicious (score: 100)
SentinelOne Static AI - Malicious PE
Webroot Trojan.Dropper.Gen
Kingsoft malware.kb.c.991
Google Detected
DeepInstinct MALICIOUS
Rising Malware.Obfus/MSIL@AI.82 (RDM.MSIL2:Uvo0h++HzDxsveFpw78VEg)
Ikarus Trojan.Dropper
Cybereason malicious.00461d
file C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file C:\Users\test22\AppData\Local\Temp\ArmUI.ini
file C:\Users\test22\AppData\Local\Temp\java_install_reg.log
file C:\Users\test22\AppData\Local\Temp\SetupExe(20210707200853994).log
file C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000011.log
file C:\Users\test22\AppData\Local\Temp\dd_dotnet4.5_decompression_log.txt
file C:\Users\test22\AppData\Local\Temp\dd_dotNetFx45LP_Full_x86_x64ko_decompression_log.txt
file C:\Users\test22\AppData\Local\Temp\AdobeARM.log
file C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000028.log
file C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000001.log
file C:\Users\test22\AppData\Local\Temp\01.ps1
file C:\Users\test22\AppData\Local\Temp\jawshtml.html
file C:\Users\test22\AppData\Local\Temp\~DFB8537D6963ECB123.TMP
file C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00000.log
file C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000025.log
file C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000013.log
file C:\Users\test22\AppData\Local\Temp\FXSAPIDebugLogFile.txt
file C:\Users\test22\AppData\Local\Temp\dd_SetupUtility.txt
file C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00001.log
file C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152043A34).log
file C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548.log
file C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C).log
file C:\Users\test22\AppData\Local\Temp\RGI1518.tmp-tmp
file C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000026.log
file C:\Users\test22\AppData\Local\Temp\Setup00000994\SETUP.CHM
file C:\Users\test22\AppData\Local\Temp\DMI9EEF.tmp
file C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000017.log
file C:\Users\test22\AppData\Local\Temp\chrome_installer.log
file C:\Users\test22\AppData\Local\Temp\UserInfoSetup(20180405152131B24).log
file C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 KOR Language Pack Setup_20200715_141443571.html
file C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000020.log
file C:\Users\test22\AppData\Local\Temp\RGIC87.tmp-tmp
file C:\Users\test22\AppData\Local\Temp\java_install.log
file C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000007.log
file C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file C:\Users\test22\AppData\Local\Temp\bchC68D.tmp
file C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 Setup_20200715_141303844.html
file C:\Users\test22\AppData\Local\Temp\PrinterSetup.log
file C:\Users\test22\AppData\Local\Temp\Setup00000994\BRANDING.XML
file C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00002.log
file C:\Users\test22\AppData\Local\Temp\dd_TMPA86C.tmp_decompression_log.txt
file C:\Users\test22\AppData\Local\Temp\CVR8B49.tmp.cvr
file C:\Users\test22\AppData\Local\Temp\Setup000023ac\BRANDING.XML
file C:\Users\test22\AppData\Local\Temp\RD25B7.tmp
file C:\Users\test22\AppData\Local\Temp\outlook logging\firstrun.log
file C:\Users\test22\AppData\Local\Temp\7zO8F39374F\test.docx
file C:\Users\test22\AppData\Local\Temp\Outlook 로깅\test2gmailcom-Incoming-04_05_2018-14_18_32_876.log
file C:\Users\test22\AppData\Local\Temp\{E7573238-1B24-467B-B5A4-0BE967E0BF64}.tmp
file C:\Users\test22\AppData\Local\Temp\SetupExe(202107071812439D0).log