Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 8, 2025, 12:07 p.m.	March 8, 2025, 12:11 p.m.

Size	28.5KB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`02320b5a9ffb3aa91fc2fe0f0906c575`
SHA256	`03349521a6994d528817f755d1d6c4ee74cda6cc6036525b911a06f8cc7707c9`
CRC32	`2202D542`
ssdeep	`192:Otk3w0++KjlRC5vVkDlBj9k2cugyJBLCsZ:OEYjlRAGlBj9kSgiLC0`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description)

8.exe "C:\Users\test22\AppData\Local\Temp\8.exe"
1072
- cmd.exe "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
  2272
  - reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
    2340
- cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
  2364
  - schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"
    2448

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 8, 2025, 12:07 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 8, 2025, 12:07 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:07 p.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 8, 2025, 12:07 p.m.	buffer: ERROR: console_handle: 0x000000000000000b	1	1
WriteConsoleW March 8, 2025, 12:07 p.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x000000000000000b	1	1
WriteConsoleW March 8, 2025, 12:07 p.m.	buffer: ERROR: console_handle: 0x000000000000000b	1	1
WriteConsoleW March 8, 2025, 12:07 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 8, 2025, 12:07 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (39 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c3b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000022b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35a4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93dfa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ed6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93dfb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:07 p.m.	process_identifier: 1072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93df2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates a suspicious process (4 events)

cmdline	schtasks /delete /f /tn "Windows Upgrade Manager"
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
cmdline	cmd /c schtasks /delete /f /tn "Windows Upgrade Manager"
cmdline	"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 8, 2025, 12:07 p.m.	show_type: 0 filepath_r: cmd parameters: /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f filepath: cmd	1	1	0
ShellExecuteExW March 8, 2025, 12:07 p.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /delete /f /tn "Windows Upgrade Manager" filepath: cmd	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 8, 2025, 12:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	schtasks /delete /f /tn "Windows Upgrade Manager"
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
cmdline	cmd /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
cmdline	cmd /c schtasks /delete /f /tn "Windows Upgrade Manager"
cmdline	"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
cmdline	reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W64.AIDetectMalware.CS
Lionic	Trojan.Win32.Pomal.4!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Pomal
Skyhigh	BehavesLike.Win64.Infected.mz
ALYac	IL:Trojan.MSILZilla.149514
Cylance	Unsafe
VIPRE	IL:Trojan.MSILZilla.149514
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	IL:Trojan.MSILZilla.149514
K7GW	Trojan ( 005a4db81 )
K7AntiVirus	Trojan ( 005a4db81 )
Arcabit	IL:Trojan.MSILZilla.D2480A
VirIT	Trojan.Win64.MSIL.GBF
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Agent.WEM
APEX	Malicious
Avast	Win64:InjectorX-gen [Trj]
ClamAV	Win.Malware.Msilheracles-10008197-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:MSIL/ATRAPS.7405b0c2
MicroWorld-eScan	IL:Trojan.MSILZilla.149514
Emsisoft	IL:Trojan.MSILZilla.149514 (B)
F-Secure	Trojan.TR/ATRAPS.dhtti
TrendMicro	TROJ_GEN.R002C0DC625
McAfeeD	ti!03349521A699
CTX	exe.trojan.msil
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.02320b5a9ffb3aa9
Google	Detected
Avira	TR/ATRAPS.dhtti
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win64.CoinMiner.sa
Microsoft	Trojan:Win32/Pomal!rfn
ViRobot	Trojan.Win.Z.Pomal.29184
GData	IL:Trojan.MSILZilla.149514
Varist	W64/ABTrojan.ZJQB-5877
AhnLab-V3	Trojan/Win.Generic.C5418787
McAfee	Artemis!02320B5A9FFB
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.BitCoinMiner
Ikarus	Trojan.MSIL.Agent
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DC625
Tencent	Malware.Win32.Gencirc.11c8b9bc
huorong	Trojan/MSIL.KillProcess.a
Fortinet	MSIL/Agent.WEM!tr

8.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All