Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 3, 2024, 5:06 a.m.	Oct. 3, 2024, 5:07 a.m.

Size	12.2MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`48381193bc2b85595549b519a250d7cf`
SHA256	`d11656964256a385ab5a5ed40ab4b6af22196c009e161fb46f9c841a7c08850e`
CRC32	`48C4003D`
ssdeep	`393216:cJCbW88fVEb2XMCHWUjQjx5WsqWxT45xHMrlDaz1T8idM:cJCbW8GEb2XMb8HsqAAMhYd`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature ASPack_Zero - ASPack packed file IsPE64 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

cliloc_fix.exe "C:\Users\test22\AppData\Local\Temp\cliloc_fix.exe"
2572
- cliloc_fix.exe "C:\Users\test22\AppData\Local\Temp\cliloc_fix.exe"
  2776

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 3, 2024, 4:59 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 3, 2024, 4:59 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 3, 2024, 4:59 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (47 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-fibers-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\libcrypto-3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\tcl86t.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\libssl-3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\tk86t.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\zlib1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\python312.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-datetime-l1-1-0.dll

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Bkav	W64.AIDetectMalware
Skyhigh	BehavesLike.Win64.Agent.rc
APEX	Malicious
Zillya	Trojan.Agent.Win32.3991781
DeepInstinct	MALICIOUS

Appends a known multi-family ransomware file extension to files that have been encrypted (50 out of 80 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp1258.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\ksc5601.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp932.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\iso8859-4.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\shiftjis.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\iso8859-1.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\iso8859-15.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\tis-620.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\iso2022.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp950.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp737.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\iso8859-5.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp1256.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp1257.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp874.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\iso2022-jp.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\koi8-u.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\gb1988.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp864.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\iso8859-8.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\ebcdic.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp863.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\gb2312-raw.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\euc-cn.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\macCyrillic.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\macThai.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\macCroatian.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\macJapan.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\koi8-r.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp1254.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp850.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\symbol.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\macRomania.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp865.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp936.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp949.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\macDingbats.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp857.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\macUkraine.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\jis0208.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\iso8859-6.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp860.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\iso8859-16.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp866.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp1253.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\gb2312.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\jis0201.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\iso8859-13.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\iso8859-2.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\gb12345.enc

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 986 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\msgs\ar.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Europe\Riga
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\America\Los_Angeles
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Japan
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Asia\Yangon
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Indian\Antananarivo
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tk_data\msgs\fr.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\iso2022.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\tcl86t.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Pacific\Nauru
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\America\Managua
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Asia\Ulaanbaatar
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Antarctica\Rothera
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\America\Lima
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\msgs\pt.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tk_data\ttk\aquaTheme.tcl
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Atlantic\South_Georgia
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\tcl8\8.5\tcltest-2.5.5.tm
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Africa\Kigali
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\EET
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Europe\Monaco
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\koi8-r.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\America\Virgin
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\America\Chicago
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\encoding\cp865.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Africa\Harare
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Asia\Baghdad
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tk_data\msgbox.tcl
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Africa\Sao_Tome
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tk_data\ttk\utils.tcl
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Indian\Mahe
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\PRC
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Pacific\Auckland
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Asia\Baku
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Atlantic\Faroe
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Europe\Madrid
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Asia\Dhaka
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Europe\Paris
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tk_data\ttk\defaults.tcl
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\msgs\lt.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\msgs\id.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\Europe\Tallinn
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\tzdata\SystemV\HST10
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tk_data\ttk\classicTheme.tcl
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\msgs\pt_br.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI25722\_tcl_data\msgs\es_pa.msg

cliloc_fix.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All