Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 10, 2024, 12:25 p.m.	Aug. 10, 2024, 12:27 p.m.

Size	2.0MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`3970ef9883559736fed2976032935fe9`
SHA256	`ce94b211fba60454a03ccb8a2652277ce00470ecfdbc63d9a81a183010b93d87`
CRC32	`A701455D`
ssdeep	`24576:ckwiWknnGQN2KMcavDjBm9Xf4WBtyyh+I3tG2fKLXC1cm9M0fxTm2wDO649:kiWEqbz79mNgIh+I3tzKLy1ZBXwDB4`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

win32.exe "C:\Users\test22\AppData\Local\Temp\win32.exe"
2548
- powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  3028
- powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2568
- powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2456
- powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/GPKI/'
  1080
- powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  232
- powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  1792
- powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2312
- powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  1332
- powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2132
- powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Python27/'
  2052
- powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2100
- powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Sandbox/'
  1800
schtasks.exe schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\tmptqb9ww\modules\auxiliary\__pycache__\lsass.exe'" /f
2360
schtasks.exe schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\tmptqb9ww\modules\auxiliary\__pycache__\lsass.exe'" /rl HIGHEST /f
2500
schtasks.exe schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\tmptqb9ww\modules\auxiliary\__pycache__\lsass.exe'" /rl HIGHEST /f
2648
schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\GPKI\csrss.exe'" /f
2620
schtasks.exe schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\GPKI\csrss.exe'" /rl HIGHEST /f
1456
schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\GPKI\csrss.exe'" /rl HIGHEST /f
1064
schtasks.exe schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\tmpuvzci8\.idea\inspectionProfiles\wininit.exe'" /f
2720
schtasks.exe schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\tmpuvzci8\.idea\inspectionProfiles\wininit.exe'" /rl HIGHEST /f
1616
schtasks.exe schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\tmpuvzci8\.idea\inspectionProfiles\wininit.exe'" /rl HIGHEST /f
1320
schtasks.exe schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\util\ProcessMonitor\smss.exe'" /f
2772
schtasks.exe schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\util\ProcessMonitor\smss.exe'" /rl HIGHEST /f
2148
schtasks.exe schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\util\ProcessMonitor\smss.exe'" /rl HIGHEST /f
2176
schtasks.exe schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\taskhost.exe'" /f
1404
schtasks.exe schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\taskhost.exe'" /rl HIGHEST /f
1252
schtasks.exe schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\taskhost.exe'" /rl HIGHEST /f
772

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (47 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 10, 2024, 12:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 10, 2024, 12:26 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 10, 2024, 12:18 p.m.			0	0
IsDebuggerPresent Aug. 10, 2024, 12:18 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 10, 2024, 12:18 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 350 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40cb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9435c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94386000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94401000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94402000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9444f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94404000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94405000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 10, 2024, 12:18 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2376000 process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 10, 2024, 12:18 p.m.	total_number_of_free_bytes: 13319180288 free_bytes_available: 13319180288 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates a suspicious process (13 events)

cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/GPKI/'
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Sandbox/'
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Python27/'
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
cmdline	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

A process created a hidden window (13 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 10, 2024, 12:19 p.m.	thread_identifier: 3036 thread_handle: 0x0000000000000244 process_identifier: 3028 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000254	1	1
CreateProcessInternalW Aug. 10, 2024, 12:19 p.m.	thread_identifier: 2464 thread_handle: 0x0000000000000244 process_identifier: 2456 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000258	1	1
CreateProcessInternalW Aug. 10, 2024, 12:19 p.m.	thread_identifier: 2584 thread_handle: 0x0000000000000244 process_identifier: 2568 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000328	1	1
CreateProcessInternalW Aug. 10, 2024, 12:19 p.m.	thread_identifier: 2380 thread_handle: 0x0000000000000244 process_identifier: 1080 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/GPKI/' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000334	1	1
CreateProcessInternalW Aug. 10, 2024, 12:19 p.m.	thread_identifier: 2684 thread_handle: 0x0000000000000244 process_identifier: 232 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000378	1	1
CreateProcessInternalW Aug. 10, 2024, 12:19 p.m.	thread_identifier: 884 thread_handle: 0x0000000000000244 process_identifier: 1792 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000037c	1	1
CreateProcessInternalW Aug. 10, 2024, 12:19 p.m.	thread_identifier: 2296 thread_handle: 0x0000000000000244 process_identifier: 2312 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000388	1	1
CreateProcessInternalW Aug. 10, 2024, 12:19 p.m.	thread_identifier: 1308 thread_handle: 0x0000000000000244 process_identifier: 1332 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000038c	1	1
CreateProcessInternalW Aug. 10, 2024, 12:19 p.m.	thread_identifier: 2128 thread_handle: 0x0000000000000244 process_identifier: 2132 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000390	1	1
CreateProcessInternalW Aug. 10, 2024, 12:19 p.m.	thread_identifier: 3068 thread_handle: 0x0000000000000244 process_identifier: 2052 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Python27/' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000394	1	1
CreateProcessInternalW Aug. 10, 2024, 12:20 p.m.	thread_identifier: 1264 thread_handle: 0x0000000000000244 process_identifier: 2100 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000000000000398	1	1
CreateProcessInternalW Aug. 10, 2024, 12:20 p.m.	thread_identifier: 560 thread_handle: 0x0000000000000244 process_identifier: 1800 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Sandbox/' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000000000000039c	1	1
CreateProcessInternalW Aug. 10, 2024, 12:20 p.m.	thread_identifier: 2352 thread_handle: 0x0000000000000244 process_identifier: 2580 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000000000003a0	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0020b400', u'virtual_address': u'0x00002000', u'entropy': 7.606780072579322, u'name': u'.text', u'virtual_size': u'0x0020b204'}

entropy

7.60678007258

description

A section with a high entropy has been found

entropy

0.999283838625

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 10, 2024, 12:18 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

The process powershell.exe wrote an executable file to disk (19 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe

Uses WMI to create a new process (1 event)

Time & API	Arguments	Status	Return	Repeated
IWbemServices_ExecMethod Aug. 10, 2024, 12:19 p.m.	inargs.CurrentDirectory: None inargs.CommandLine: schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\tmptqb9ww\modules\auxiliary\__pycache__\lsass.exe'" /f inargs.ProcessStartupInformation: {u'ShowWindow': None, u'FillAttribute': None, u'XSize': None, u'XCountChars': None, u'ErrorMode': 0, u'YSize': None, u'EnvironmentVariables': None, u'Y': None, u'YCountChars': None, u'CreateFlags': 8, u'WinstationDesktop': None, u'Title': None, u'X': None, u'PriorityClass': None} outargs.ProcessId: 2360 outargs.ReturnValue: 0 flags: 0 method: Create class: Win32_Process	1	0	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Dnoper.4!c
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Generic.vc
ALYac	Trojan.MSIL.Basic.8.Gen
Cylance	Unsafe
VIPRE	Trojan.MSIL.Basic.8.Gen
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005690671 )
BitDefender	Trojan.MSIL.Basic.8.Gen
K7GW	Trojan ( 005690671 )
Cybereason	malicious.883559
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Spy.Agent.ETF
APEX	Malicious
McAfee	GenericRXWO-FP!3970EF988355
Avast	Win32:SpywareX-gen [Trj]
ClamAV	Win.Packed.Uztuby-10009381-0
Kaspersky	HEUR:Trojan.MSIL.Dnoper.gen
Alibaba	Trojan:MSIL/Dnoper.4408aad0
MicroWorld-eScan	Trojan.MSIL.Basic.8.Gen
Rising	Trojan.Dnoper!8.10CB3 (CLOUD)
Emsisoft	Trojan.MSIL.Basic.8.Gen (B)
DrWeb	Trojan.Siggen28.48158
Zillya	Trojan.Basic.Win32.127126
McAfeeD	Real Protect-LS!3970EF988355
FireEye	Generic.mg.3970ef9883559736
Sophos	Troj/DCRat-U
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.MSIL.aotqv
Google	Detected
MAX	malware (ai score=88)
Kingsoft	MSIL.Trojan.Dnoper.gen
Arcabit	Trojan.MSIL.Basic.8.Gen
ZoneAlarm	HEUR:Trojan.MSIL.Dnoper.gen
GData	Trojan.MSIL.Basic.8.Gen
Varist	W32/MSIL_Agent.HOQ.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.C5484342
BitDefenderTheta	Gen:NN.ZemsilF.36810.co0@aGy6stf
DeepInstinct	MALICIOUS
VBA32	TScope.Trojan.MSIL
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.MSIL.Crypt
Panda	Trj/GdSda.A
Tencent	Msil.Trojan.Dnoper.Ncnw
Yandex	Trojan.Dnoper!0Ro/SJ5iD8k
huorong	Backdoor/MSIL.DCRat.l
MaxSecure	Trojan.Malware.74328497.susgen
Fortinet	MSIL/Crypt.SS!tr.spy
AVG	Win32:SpywareX-gen [Trj]

win32.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All