Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 10, 2025, 11:53 a.m.	Jan. 10, 2025, 11:58 a.m.

Size	2.0MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Microsoft Edge 131.0.2903.112, Subject: Microsoft Edge, Author: Microsoft Corporation, Keywords: Installer, Template: Intel;1033, Revision Number: {D351D4BA-601A-46F9-B65D-B792D968A912}, Create Time/Date: Thu Jan 11 14:59:44 2024, Last Saved Time/Date: Thu Jan 11 14:59:44 2024, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (11.0.53.0), Security: 2
MD5	`872cb99a4886350aa57b1c40bba29b1c`
SHA256	`e16baa228ab77485f38b335510270943ab54df755bf72987ac229d819bb85401`
CRC32	`2AA58EFE`
ssdeep	`24576:Wt9cpVDhf6x7VZTi1RldQkwadtGaxft3UbV7mqppdq:ZpRhSxHTi1zmkltRt3UB7me`
Yara	Malicious_Library_Zero - Malicious_Library Microsoft_Office_File_Zero - Microsoft Office File CAB_file_format - CAB archive file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

msiexec.exe "C:\Windows\System32\msiexec.exe" /I C:\Users\test22\AppData\Local\Temp\install.msi
1372

Name	Response	Post-Analysis Lookup
eyiyueewuaqmmwcm.xyz
omasqkwqyskcagwi.xyz
isemauqkwwiumyky.xyz
yyimcoiwgckeakcm.xyz
smaaowemwiwggocu.xyz
gwwcqeykmseicgaw.xyz
smckcsaioceiyasu.xyz
kkcqgowgkcoyokcu.xyz
qigcqiaomwieqwka.xyz
ukicsmiwggcwksam.xyz
auayomwkewcomwas.xyz
omgcoecwsqiuqyug.xyz
giqukkwwcwgqcisg.xyz
esiaisyasoaoqwki.xyz
saumycuogqsqykes.xyz
maoeeogmuauywsyu.xyz
ymqaaskiwomkucuy.xyz
ymuiggyusggsymoi.xyz
ekcwemuekgqsimae.xyz
ukaiiiyqoooycyqm.xyz
osaymwoggqqycmse.xyz
ommwaqgaemsmcqwc.xyz
goeykqccmemkswom.xyz
aksuakswwkiimamq.xyz
smwsugycuuckemue.xyz
osaeyoiqoqawauga.xyz
kqmsgskwgemyueya.xyz
iagisciiyoemgwaa.xyz
ggicikyqcaiyguee.xyz
wucwykasawokemaw.xyz
kkwkgmcoawgaoiwg.xyz
muwqwgaaymomgwmi.xyz
keykoekseemyiewq.xyz
gwoyamckoqoaauoq.xyz
wuokiysmiucoucak.xyz
qqqmeagkkosgcayo.xyz
qwywqgsmgaoiwsga.xyz
wgqyouayikuyuqmk.xyz
omsqkuiwcwoegooq.xyz
qiswokuokugiooky.xyz
oqyaoykomyoygics.xyz
gwamoggwyegsseao.xyz
kwuuwgemogmuomwq.xyz
owaaygsacguucaye.xyz
akueuaicusaoieiy.xyz
awwomgcseeqwkkom.xyz
uksgyqiqaaiaiesi.xyz
uwgicagyykoommga.xyz
keosqeosukqcooco.xyz
ysawassgkwqygmmq.xyz
sauygqecsusickcu.xyz
ososwckwcqmmwqcy.xyz
uecouukwkuceyuwg.xyz
qcoysaaooaiccqyu.xyz	A 193.32.177.34	193.32.177.34
wuuiumemmigyyauq.xyz
kecgikusmakuksma.xyz
omgooecquoweeomo.xyz
eyoaceoookqskqmy.xyz
eswweuycwwiiykwo.xyz
goguooqkgysueime.xyz
eyoyssauceguqwmk.xyz
eqakguiwiqacqiwg.xyz
esimsqgcwwwmyoqc.xyz
osmoygyawqmmimkq.xyz
immyecuqwkiyscys.xyz
ymseciekayuweoww.xyz
ysiwwoeeaaskykaw.xyz
imigkomgmqgmakqk.xyz
wgcaouuqqqwucogy.xyz
gcmiymmqgwuquokm.xyz
immcqsiceooqyaay.xyz
kwaywmaequkqccai.xyz
qcyksokwumicscaa.xyz
acwomuuukiomgqkm.xyz
cauewwukyywyqiei.xyz
qwqsoyoqkymakowm.xyz
oekcyqqggaegsesm.xyz
ymysimqoykwqeqiq.xyz
gwyooeiscmwguqms.xyz
uiggameqqycugsqw.xyz
oyocwswugeiqqyoo.xyz
keguuyioweymiaws.xyz
ymmcwogyimsuqmcc.xyz
awyomscgweuqmgaw.xyz
isaeicumkcuwqmqq.xyz
ukyokaigmmkumgoa.xyz
imgeoyougkmmeuec.xyz
ismqaewykmoiguki.xyz
suwkomiqcykeyako.xyz
ukmcqucewskcqygg.xyz
iyaikmkkowcqemsi.xyz
smoswyoekkccyuga.xyz
oyewqwkusieeoqey.xyz
qiswcssocuqsaqkq.xyz
ewacuagosgqmuocm.xyz
maiyuocqqiqiiskw.xyz
kwmcuwccqmuecgea.xyz

IP Address	Status	Action
164.124.101.2	Active	Moloch
193.32.177.34	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 10, 2025, 11:53 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 10, 2025, 11:53 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 10, 2025, 11:53 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73431000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03580000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73422000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73351000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 10, 2025, 11:53 a.m.	process_identifier: 1372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ab1000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Jan. 10, 2025, 11:53 a.m.	total_number_of_free_bytes: 9931997184 free_bytes_available: 9931997184 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Jan. 10, 2025, 11:53 a.m.	number_of_free_clusters: 2424804 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Jan. 10, 2025, 11:53 a.m.	total_number_of_free_bytes: 9931997184 free_bytes_available: 9931997184 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Jan. 10, 2025, 11:53 a.m.	number_of_free_clusters: 2424804 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Jan. 10, 2025, 11:53 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

MicroWorld-eScan	Gen:Variant.Lazy.609164
CTX	msi.unknown.lazy
ALYac	Gen:Variant.Lazy.609164
K7GW	Trojan-Downloader ( 0056a18b1 )
K7AntiVirus	Trojan-Downloader ( 0056a18b1 )
Arcabit	Trojan.Lazy.D94B8C
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.HUQ
Kaspersky	HEUR:Trojan.Win32.Heavy.gen
BitDefender	Gen:Variant.Lazy.609164
Emsisoft	Gen:Variant.Lazy.609164 (B)
F-Secure	Trojan:W32/GenInflated.B
Ikarus	Trojan-Downloader.Win32.Agent
GData	Gen:Variant.Lazy.609164

install.msi

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All