Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 18, 2025, 5:30 p.m.	Feb. 18, 2025, 5:31 p.m.

Size	708.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`2b3324576857269e5bd626110108ee53`
SHA256	`533e467e2da69e53ed32619b8a3e89f4f76d07c1b7f0f72aa4014e13540b7218`
CRC32	`827135EF`
ssdeep	`12288:ueRtBxy90Iex4mGhRmF/ygL4lzZgmqzL3cSjrKYTDyd9EQpVRdNyX5U0:JjxyF69m66ho2cDyvEGRdNyX5j`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file

update.exe "C:\Users\test22\AppData\Local\Temp\update.exe"
2040
- Ad.Credit Updater.exe "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Ad.Credit Updater.exe"
  2068

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Feb. 16, 2025, 9:04 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x746a77b7 MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15 MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57 GetTargetForVTableEntry+0x7bc2 GetXMLElement-0x710f mscoreei+0x39d9f @ 0x74639d9f GetTargetForVTableEntry+0x7f61 GetXMLElement-0x6d70 mscoreei+0x3a13e @ 0x7463a13e GetTargetForVTableEntry+0x862e GetXMLElement-0x66a3 mscoreei+0x3a80b @ 0x7463a80b GetTargetForVTableEntry+0x882d GetXMLElement-0x64a4 mscoreei+0x3aa0a @ 0x7463aa0a GetXMLObject+0x5df6 LockClrVersion-0xb83 mscoreei+0x1a27f @ 0x7461a27f LockClrVersion+0xd01 CorBindToRuntimeByPath-0x242e mscoreei+0x1bb03 @ 0x7461bb03 LockClrVersion+0x685 CorBindToRuntimeByPath-0x2aaa mscoreei+0x1b487 @ 0x7461b487 LockClrVersion+0x2b5a CorBindToRuntimeByPath-0x5d5 mscoreei+0x1d95c @ 0x7461d95c ND_WU1+0xc2f _CorExeMain-0x5ac mscoreei+0xef86 @ 0x7460ef86 ND_WU1+0xded _CorExeMain-0x3ee mscoreei+0xf144 @ 0x7460f144 ND_WU1+0x109c _CorExeMain-0x13f mscoreei+0xf3f3 @ 0x7460f3f3 ND_WU1+0x1166 _CorExeMain-0x75 mscoreei+0xf4bd @ 0x7460f4bd _CorExeMain+0x54 GetFileVersion-0x2957 mscoreei+0xf586 @ 0x7460f586 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x743f3f46 registers.esp: 4507640 registers.edi: 0 registers.eax: 1950302022 registers.ebp: 4507680 registers.edx: 0 registers.ebx: 0 registers.esi: 1950302022 registers.ecx: 12717416	1
__exception__ Feb. 16, 2025, 9:04 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x746a77b7 MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15 MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57 GetTargetForVTableEntry+0x7bc2 GetXMLElement-0x710f mscoreei+0x39d9f @ 0x74639d9f GetTargetForVTableEntry+0x7f61 GetXMLElement-0x6d70 mscoreei+0x3a13e @ 0x7463a13e GetTargetForVTableEntry+0x862e GetXMLElement-0x66a3 mscoreei+0x3a80b @ 0x7463a80b GetTargetForVTableEntry+0x882d GetXMLElement-0x64a4 mscoreei+0x3aa0a @ 0x7463aa0a GetXMLObject+0x5df6 LockClrVersion-0xb83 mscoreei+0x1a27f @ 0x7461a27f LockClrVersion+0xd01 CorBindToRuntimeByPath-0x242e mscoreei+0x1bb03 @ 0x7461bb03 LockClrVersion+0x685 CorBindToRuntimeByPath-0x2aaa mscoreei+0x1b487 @ 0x7461b487 LockClrVersion+0x2b5a CorBindToRuntimeByPath-0x5d5 mscoreei+0x1d95c @ 0x7461d95c ND_WU1+0xc2f _CorExeMain-0x5ac mscoreei+0xef86 @ 0x7460ef86 ND_WU1+0xded _CorExeMain-0x3ee mscoreei+0xf144 @ 0x7460f144 ND_WU1+0x109c _CorExeMain-0x13f mscoreei+0xf3f3 @ 0x7460f3f3 ND_WU1+0x1166 _CorExeMain-0x75 mscoreei+0xf4bd @ 0x7460f4bd _CorExeMain+0x54 GetFileVersion-0x2957 mscoreei+0xf586 @ 0x7460f586 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x743f3f46 registers.esp: 4507640 registers.edi: 0 registers.eax: 1950302022 registers.ebp: 4507680 registers.edx: 0 registers.ebx: 0 registers.esi: 1950302022 registers.ecx: 12717416	1
__exception__ Feb. 16, 2025, 9:04 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a SHGetDataFromIDListW+0x314 SHGetFolderPathAndSubDirW-0x2832 shell32+0x328ef @ 0x75d528ef ShellExecuteExW+0x5e1 SHGetNameFromIDList-0x8629 shell32+0x22427 @ 0x75d42427 SHGetMalloc+0x17e0 ShellExecuteExW-0x64 shell32+0x21de2 @ 0x75d41de2 ShellExecuteExW+0xb4 SHGetNameFromIDList-0x8b56 shell32+0x21efa @ 0x75d41efa ShellExecuteExW+0x42 SHGetNameFromIDList-0x8bc8 shell32+0x21e88 @ 0x75d41e88 New_shell32_ShellExecuteExW@4+0x1fa New_srvcli_NetShareEnum@28-0x8f @ 0x746a5f28 ShellExecuteW+0x77 PathResolve-0x6af shell32+0x13ce8 @ 0x75d33ce8 LockClrVersion+0x14ac CorBindToRuntimeByPath-0x1c83 mscoreei+0x1c2ae @ 0x7461c2ae LockClrVersion+0x685 CorBindToRuntimeByPath-0x2aaa mscoreei+0x1b487 @ 0x7461b487 LockClrVersion+0x2b5a CorBindToRuntimeByPath-0x5d5 mscoreei+0x1d95c @ 0x7461d95c ND_WU1+0xc2f _CorExeMain-0x5ac mscoreei+0xef86 @ 0x7460ef86 ND_WU1+0xded _CorExeMain-0x3ee mscoreei+0xf144 @ 0x7460f144 ND_WU1+0x109c _CorExeMain-0x13f mscoreei+0xf3f3 @ 0x7460f3f3 ND_WU1+0x1166 _CorExeMain-0x75 mscoreei+0xf4bd @ 0x7460f4bd _CorExeMain+0x54 GetFileVersion-0x2957 mscoreei+0xf586 @ 0x7460f586 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x743f3f46 registers.esp: 4512860 registers.edi: 0 registers.eax: 1950302022 registers.ebp: 4512900 registers.edx: 0 registers.ebx: 0 registers.esi: 1950302022 registers.ecx: 12717416	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Feb. 16, 2025, 9:04 p.m.

stacktrace:

GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f
New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x746a77b7
MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15
MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57
GetTargetForVTableEntry+0x7bc2 GetXMLElement-0x710f mscoreei+0x39d9f @ 0x74639d9f
GetTargetForVTableEntry+0x7f61 GetXMLElement-0x6d70 mscoreei+0x3a13e @ 0x7463a13e
GetTargetForVTableEntry+0x862e GetXMLElement-0x66a3 mscoreei+0x3a80b @ 0x7463a80b
GetTargetForVTableEntry+0x882d GetXMLElement-0x64a4 mscoreei+0x3aa0a @ 0x7463aa0a
GetXMLObject+0x5df6 LockClrVersion-0xb83 mscoreei+0x1a27f @ 0x7461a27f
LockClrVersion+0xd01 CorBindToRuntimeByPath-0x242e mscoreei+0x1bb03 @ 0x7461bb03
LockClrVersion+0x685 CorBindToRuntimeByPath-0x2aaa mscoreei+0x1b487 @ 0x7461b487
LockClrVersion+0x2b5a CorBindToRuntimeByPath-0x5d5 mscoreei+0x1d95c @ 0x7461d95c
ND_WU1+0xc2f _CorExeMain-0x5ac mscoreei+0xef86 @ 0x7460ef86
ND_WU1+0xded _CorExeMain-0x3ee mscoreei+0xf144 @ 0x7460f144
ND_WU1+0x109c _CorExeMain-0x13f mscoreei+0xf3f3 @ 0x7460f3f3
ND_WU1+0x1166 _CorExeMain-0x75 mscoreei+0xf4bd @ 0x7460f4bd
_CorExeMain+0x54 GetFileVersion-0x2957 mscoreei+0xf586 @ 0x7460f586
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x743f3f46
registers.esp: 4507640
registers.edi: 0
registers.eax: 1950302022
registers.ebp: 4507680
registers.edx: 0
registers.ebx: 0
registers.esi: 1950302022
registers.ecx: 12717416

__exception__

Feb. 16, 2025, 9:04 p.m.

stacktrace:

GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f
New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x746a77b7
MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15
MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57
GetTargetForVTableEntry+0x7bc2 GetXMLElement-0x710f mscoreei+0x39d9f @ 0x74639d9f
GetTargetForVTableEntry+0x7f61 GetXMLElement-0x6d70 mscoreei+0x3a13e @ 0x7463a13e
GetTargetForVTableEntry+0x862e GetXMLElement-0x66a3 mscoreei+0x3a80b @ 0x7463a80b
GetTargetForVTableEntry+0x882d GetXMLElement-0x64a4 mscoreei+0x3aa0a @ 0x7463aa0a
GetXMLObject+0x5df6 LockClrVersion-0xb83 mscoreei+0x1a27f @ 0x7461a27f
LockClrVersion+0xd01 CorBindToRuntimeByPath-0x242e mscoreei+0x1bb03 @ 0x7461bb03
LockClrVersion+0x685 CorBindToRuntimeByPath-0x2aaa mscoreei+0x1b487 @ 0x7461b487
LockClrVersion+0x2b5a CorBindToRuntimeByPath-0x5d5 mscoreei+0x1d95c @ 0x7461d95c
ND_WU1+0xc2f _CorExeMain-0x5ac mscoreei+0xef86 @ 0x7460ef86
ND_WU1+0xded _CorExeMain-0x3ee mscoreei+0xf144 @ 0x7460f144
ND_WU1+0x109c _CorExeMain-0x13f mscoreei+0xf3f3 @ 0x7460f3f3
ND_WU1+0x1166 _CorExeMain-0x75 mscoreei+0xf4bd @ 0x7460f4bd
_CorExeMain+0x54 GetFileVersion-0x2957 mscoreei+0xf586 @ 0x7460f586
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

__exception__

Feb. 16, 2025, 9:04 p.m.

stacktrace:

GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
SHGetDataFromIDListW+0x314 SHGetFolderPathAndSubDirW-0x2832 shell32+0x328ef @ 0x75d528ef
ShellExecuteExW+0x5e1 SHGetNameFromIDList-0x8629 shell32+0x22427 @ 0x75d42427
SHGetMalloc+0x17e0 ShellExecuteExW-0x64 shell32+0x21de2 @ 0x75d41de2
ShellExecuteExW+0xb4 SHGetNameFromIDList-0x8b56 shell32+0x21efa @ 0x75d41efa
ShellExecuteExW+0x42 SHGetNameFromIDList-0x8bc8 shell32+0x21e88 @ 0x75d41e88
New_shell32_ShellExecuteExW@4+0x1fa New_srvcli_NetShareEnum@28-0x8f @ 0x746a5f28
ShellExecuteW+0x77 PathResolve-0x6af shell32+0x13ce8 @ 0x75d33ce8
LockClrVersion+0x14ac CorBindToRuntimeByPath-0x1c83 mscoreei+0x1c2ae @ 0x7461c2ae
LockClrVersion+0x685 CorBindToRuntimeByPath-0x2aaa mscoreei+0x1b487 @ 0x7461b487
LockClrVersion+0x2b5a CorBindToRuntimeByPath-0x5d5 mscoreei+0x1d95c @ 0x7461d95c
ND_WU1+0xc2f _CorExeMain-0x5ac mscoreei+0xef86 @ 0x7460ef86
ND_WU1+0xded _CorExeMain-0x3ee mscoreei+0xf144 @ 0x7460f144
ND_WU1+0x109c _CorExeMain-0x13f mscoreei+0xf3f3 @ 0x7460f3f3
ND_WU1+0x1166 _CorExeMain-0x75 mscoreei+0xf4bd @ 0x7460f4bd
_CorExeMain+0x54 GetFileVersion-0x2957 mscoreei+0xf586 @ 0x7460f586
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x743f3f46
registers.esp: 4512860
registers.edi: 0
registers.eax: 1950302022
registers.ebp: 4512900
registers.edx: 0
registers.ebx: 0
registers.esi: 1950302022
registers.ecx: 12717416

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Feb. 16, 2025, 9:04 p.m.	process_identifier: 2068 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Feb. 16, 2025, 9:04 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Newtonsoft.Json.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\ICSharpCode.SharpZipLib.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Ad.Credit Updater.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\System.CodeDom.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Office.dll

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\ICSharpCode.SharpZipLib.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Office.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Ad.Credit Updater.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Newtonsoft.Json.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\System.CodeDom.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000a2000', u'virtual_address': u'0x0000f000', u'entropy': 7.886784139083304, u'name': u'.rsrc', u'virtual_size': u'0x000a2000'}

entropy

7.88678413908

description

A section with a high entropy has been found

entropy

0.920454545455

description

Overall entropy of this PE file is high

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

reg_value

rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Ad.Credit Updater.exe

update.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All