Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 27, 2023, 10:04 a.m.	Oct. 27, 2023, 10:07 a.m.

Size	2.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`252278969fa0d8c1cc719e73b61a76a4`
SHA256	`617cc50e0428e187c69d94da100ea9d3653a1b557e0cb76ba8a767a919192195`
CRC32	`2B8C66E4`
ssdeep	`49152:ikWk5cS7a+9XYaQ9Zehc4mTYJ78V9gyBn4c0fmP/SA8N:WajJSZ942KQV9hp4dfmP/SA8`
Yara	UPX_Zero - UPX packed file Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) Antivirus - Contains references to security software

E-FILLING FORM B.bat "C:\Users\test22\AppData\Local\Temp\E-FILLING FORM B.bat"
3032
- cmd.exe cmd.exe /c C:\Users\test22\AppData\Local\Temp\
  932
- igmwllfk.exe "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\igmwllfk.exe"
  1368

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Oct. 27, 2023, 10:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 27, 2023, 10:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 27, 2023, 10:04 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 27, 2023, 10:04 a.m.	buffer: 'C:\Users\test22\AppData\Local\Temp\' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 27, 2023, 10:04 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	CUSTOM
resource name	SHA

One or more processes crashed (23 events)

Time & API	Arguments	Status
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635416 registers.edi: 7189864 registers.eax: 1635416 registers.ebp: 1635496 registers.edx: 0 registers.ebx: 7189864 registers.esi: 7189864 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635376 registers.edi: 7189864 registers.eax: 1635376 registers.ebp: 1635456 registers.edx: 0 registers.ebx: 7189864 registers.esi: 7189864 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635360 registers.edi: 7189864 registers.eax: 1635360 registers.ebp: 1635440 registers.edx: 0 registers.ebx: 7189864 registers.esi: 7189864 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635376 registers.edi: 7189864 registers.eax: 1635376 registers.ebp: 1635456 registers.edx: 0 registers.ebx: 7189864 registers.esi: 7189864 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635060 registers.edi: 1635248 registers.eax: 1635060 registers.ebp: 1635140 registers.edx: 0 registers.ebx: 7189864 registers.esi: 1635248 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1634800 registers.edi: 7189864 registers.eax: 1634800 registers.ebp: 1634880 registers.edx: 0 registers.ebx: 7189864 registers.esi: 7189864 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635012 registers.edi: 7189864 registers.eax: 1635012 registers.ebp: 1635092 registers.edx: 0 registers.ebx: 7189864 registers.esi: 7189864 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635384 registers.edi: 7189864 registers.eax: 1635384 registers.ebp: 1635464 registers.edx: 0 registers.ebx: 7189864 registers.esi: 7189864 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf ProcCallEngine+0x4ce7 __vbaUdtVar-0x1bcd msvbvm60+0x101d44 @ 0x72a41d44 ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33 e-filling form b+0x9c8c @ 0x409c8c IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034 IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667 IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7 IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1 DLLGetDocumentation+0x25b2 EbGetVBAObject-0xb8f msvbvm60+0xc88e0 @ 0x72a088e0 DLLGetDocumentation+0x2619 EbGetVBAObject-0xb28 msvbvm60+0xc8947 @ 0x72a08947 IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33 e-filling form b+0x276c @ 0x40276c IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034 IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667 IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7 IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1 IID_IVbaHost+0x418d8 UserDllMain-0x239df msvbvm60+0x6ff18 @ 0x729aff18 BASIC_CLASS_Release+0xfcaa IID_IVbaHost-0xff3d msvbvm60+0x1e703 @ 0x7295e703 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 e-filling form b+0x127a @ 0x40127a RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635424 registers.edi: 7189744 registers.eax: 1635424 registers.ebp: 1635504 registers.edx: 0 registers.ebx: 6318700 registers.esi: 1636004 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1636788 registers.edi: 7189864 registers.eax: 1636788 registers.ebp: 1636868 registers.edx: 0 registers.ebx: 7189864 registers.esi: 7189864 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635416 registers.edi: 8300144 registers.eax: 1635416 registers.ebp: 1635496 registers.edx: 0 registers.ebx: 8300144 registers.esi: 8300144 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635376 registers.edi: 8300144 registers.eax: 1635376 registers.ebp: 1635456 registers.edx: 0 registers.ebx: 8300144 registers.esi: 8300144 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635360 registers.edi: 8300144 registers.eax: 1635360 registers.ebp: 1635440 registers.edx: 0 registers.ebx: 8300144 registers.esi: 8300144 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635376 registers.edi: 8300144 registers.eax: 1635376 registers.ebp: 1635456 registers.edx: 0 registers.ebx: 8300144 registers.esi: 8300144 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635328 registers.edi: 1635516 registers.eax: 1635328 registers.ebp: 1635408 registers.edx: 0 registers.ebx: 8300144 registers.esi: 1635516 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635384 registers.edi: 8300144 registers.eax: 1635384 registers.ebp: 1635464 registers.edx: 0 registers.ebx: 8300144 registers.esi: 8300144 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635088 registers.edi: 8300144 registers.eax: 1635088 registers.ebp: 1635168 registers.edx: 0 registers.ebx: 8300144 registers.esi: 8300144 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635088 registers.edi: 8300144 registers.eax: 1635088 registers.ebp: 1635168 registers.edx: 0 registers.ebx: 8300144 registers.esi: 8300144 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635088 registers.edi: 8300144 registers.eax: 1635088 registers.ebp: 1635168 registers.edx: 0 registers.ebx: 8300144 registers.esi: 8300144 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635384 registers.edi: 8300144 registers.eax: 1635384 registers.ebp: 1635464 registers.edx: 0 registers.ebx: 8300144 registers.esi: 8300144 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635328 registers.edi: 1635516 registers.eax: 1635328 registers.ebp: 1635408 registers.edx: 0 registers.ebx: 8300144 registers.esi: 1635516 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635384 registers.edi: 8300144 registers.eax: 1635384 registers.ebp: 1635464 registers.edx: 0 registers.ebx: 8300144 registers.esi: 8300144 registers.ecx: 2	1
__exception__ Oct. 27, 2023, 10:04 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635380 registers.edi: 8300144 registers.eax: 1635380 registers.ebp: 1635460 registers.edx: 0 registers.ebx: 8300144 registers.esi: 8300144 registers.ecx: 2	1

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 27, 2023, 10:04 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74322000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 27, 2023, 10:04 a.m.	process_identifier: 1368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74322000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\igmwllfk.exe

Creates a suspicious process (1 event)

cmdline

cmd.exe /c C:\Users\test22\AppData\Local\Temp\

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\igmwllfk.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 27, 2023, 10:04 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00680000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00208000', u'virtual_address': u'0x00001000', u'entropy': 7.743262631890021, u'name': u'.text', u'virtual_size': u'0x00207fa4'}

entropy

7.74326263189

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00042000', u'virtual_address': u'0x0020e000', u'entropy': 7.981017101419837, u'name': u'.rsrc', u'virtual_size': u'0x000416a8'}

entropy

7.98101710142

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\igmwllfk.exe

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetectMalware
ClamAV	Win.Keylogger.Kutaki-9969497-0
Malwarebytes	Generic.Malware.AI.DDS
Cybereason	malicious.32393e
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Spy.KeyLogger.ODN
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-Spy.Win32.KeyLogger.pef
Rising	Stealer.Kutaki!1.D278 (CLASSIC)
F-Secure	Trojan.TR/Dropper.Gen
TrendMicro	TSPY_VBKEYLOG.SM
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.252278969fa0d8c1
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.Generic.adrmt
Google	Detected
Avira	TR/Dropper.Gen
Kingsoft	malware.kb.a.986
ZoneAlarm	HEUR:Trojan-Spy.Win32.KeyLogger.pef
Microsoft	Trojan:Script/Phonzy.B!ml
Varist	W32/Keylogger.BD.gen!Eldorado
AhnLab-V3	Spyware/Win.Vbkeylog.R513616
DeepInstinct	MALICIOUS
Cylance	unsafe
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	TSPY_VBKEYLOG.SM
Ikarus	Trojan-Spy.Agent
Fortinet	W32/KeyLogger.NJK!tr
BitDefenderTheta	Gen:NN.ZevbaF.36792.so0@aCxDQMbi
AVG	Win32:Kutaki-A [Spy]
Avast	Win32:Kutaki-A [Spy]
CrowdStrike	win/malicious_confidence_90% (D)

E-FILLING FORM B.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All