Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.19 02:09
66ea645129e6a_jacobs.exe
09.19 11:09
clip64.dll
09.19 11:09
cred64.dll
09.19 10:09
vsfdajg16.exe
09.19 10:09
QuickBooks_Setup.msi
09.19 10:09
QuickBooks_Desktop_Set...
09.19 10:09
game.exe
09.19 10:09
vlsadg.exe
09.19 10:09
lnfsda.exe
09.19 10:09
66eaadab755d2_installs...

Latest News
09.20 07:09
Unravelling the World ...
09.20 07:09
European, Latin Americ...
09.20 07:09
OpenAI to Decide Which...
09.20 07:09
September 20, 2024
09.20 06:09
Stocks Hit Highs and A...
09.20 06:09
Fake GitHub Site Targe...
09.20 06:09
Vanilla Tempest levera...
09.20 06:09
Exploding Pagers Sound...
09.20 06:09
The time I almost got ...
09.20 05:09
High-risk vulnerabilit...

Summary | ZeroBOX

PowerRun.exe

Generic Malware Malicious Library Antivirus UPX PE64 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 19, 2024, 2:12 p.m.	Aug. 19, 2024, 3:15 p.m.

Size	912.6KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`0a4a7f49dd88b8802db5aac1ac5f9483`
SHA256	`da77bc401ef0d7b8e23be3a9387660172aea176cd9d1248034130811d29942c9`
CRC32	`B20A1DC4`
ssdeep	`24576:gj2DW/xbWX2YIb3Qsu3/PNL3Q7HyRDTpAA+c:gj2EaXSQsW/PNjQLY9ARc`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

PowerRun.exe "C:\Users\test22\AppData\Local\Temp\PowerRun.exe"
2548
- PowerRun.exe "C:\Users\test22\AppData\Local\Temp\PowerRun.exe" /P:131456
  2676

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 19, 2024, 2:12 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:12 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:12 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:12 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 19, 2024, 2:12 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 19, 2024, 2:12 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0
NtProtectVirtualMemory Aug. 19, 2024, 2:12 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Aug. 19, 2024, 2:12 p.m.	snapshot_handle: 0x00000000000001a0 process_name: taskhost.exe process_identifier: 2352	1	1	0
Process32NextW Aug. 19, 2024, 2:12 p.m.	snapshot_handle: 0x00000000000001a0 process_name: PowerRun.exe process_identifier: 2548	1	1	0
Process32NextW Aug. 19, 2024, 2:12 p.m.	snapshot_handle: 0x00000000000001ac process_name: PowerRun.exe process_identifier: 2676	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 19, 2024, 2:12 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 19, 2024, 2:12 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1	0

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Cylance	Unsafe
ESET-NOD32	Win64/PowerRun.B potentially unsafe
Rising	PUA.PowerRun!8.157FF (CLOUD)
Sophos	PowerRun (PUA)
Webroot	W32.Riskware.Privilegeesc
Kingsoft	Win32.Troj.Undef.a
GData	Win32.Riskware.PowerRun.B
Malwarebytes	Generic.Malware/Suspicious
Yandex	Trojan.Igent.b2GsbZ.18
MaxSecure	Trojan.Malware.216064600.susgen