popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis
PWS ZIP Format
  1. Resubmit sample
Category Machine Started Completed
ARCHIVE s1_win7_x6401 June 8, 2024, 2:27 a.m. June 8, 2024, 2:35 a.m.

Archive Open-Audit-Classic-master/htdocs/openaudit/out/testipscan.xlsx @ Open-Audit-Classic-master.zip

Summary

Size 3.9KB
Type Microsoft Excel 2007+
MD5 62af5df60e921eb75e8a811735317410
SHA1 82d40c40e2f0341e5342c637710f893312674962
SHA256 8d0cd9f5b8b03aa5a3d4dd2900ea74bd498dbf633b4077c0f6e49e9e7aefb6f4
SHA512
e0e3f801872dca26b23743b0b20eb91917b0fddc565cf9d383cb528951f201e079c62240aa62680b97fdf42a515287c9ed476b7eb04f96fde3e529b17cde932b
CRC32 CA434FE3
ssdeep 48:0BgYjNQ5KIBgJD+CtPsWBnafSPgB5PrkpW9yQA7a0rbt++92hmP3Oke9jJts//Sk:03yBOOWBnmrUna0tiAP3OkeJq///v
Yara
  • zip_file_format - ZIP file format

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f5b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f60f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f60f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f711000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04ef0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04ef0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f4b1000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\Open-Audit-Classic-master\htdocs\openaudit\out\~$testipscan.xlsx
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x000003a4
filepath: C:\Users\test22\AppData\Local\Temp\Open-Audit-Classic-master\htdocs\openaudit\out\~$testipscan.xlsx
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\Open-Audit-Classic-master\htdocs\openaudit\out\~$testipscan.xlsx
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
url http://pu
url http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0
url http://office.microsoft.com
url http://crl.verisign.com/ThawteTimestampingCA.crl0
url http://ocsp.verisign.com0
url http://purl.org/dc/elements/1.1/
url http://purl.org/dc/dcmitype/
url http://www.
url http://purl.org/dc/terms/
url http://crl.verisign.com/tss-ca.crl0
url http://purl.org/dc/terms
url http://schemas.openxmlformats.org/package/2006/metadata/core-properties
description PWS Memory rule Generic_PWS_Memory_Zero