Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 23, 2021, 11:04 a.m.	April 23, 2021, 11:06 a.m.

Size	7.1MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`787822a3f6e82ac53becdc6a50a8cdab`
SHA256	`31c18d5f3b764fce15b94b6ec752acaa486d4ac16cab3bebb5b5b8f971804927`
CRC32	`79D48FA8`
ssdeep	`98304:OItV6CgtMvKgrJYxBZiTXr7iBOLleq40BgBweRQ0gQiDiGg4SnLhqhViTSovGse:O4V6JmvKeJYxBEr7AOcq43BwevAmLkhb`
Yara	PE_Header_Zero - PE File Signature Zero IsPE64 - (no description) IsConsole - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check escalate_priv - Escalade priviledges win_mutex - Create or check mutex win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile ldpreload - (no description)

parse.exe "C:\Users\test22\AppData\Local\Temp\parse.exe"
3324

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (43 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: cmd.go:53: error open C:\Users\test22/AppData/Local/Microsoft/Edge/User Data/Local State: The system cannot find the path specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Microsoft Edge find history file failed, ERR:find History failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Microsoft Edge find password file failed, ERR:find Login Data failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Microsoft Edge find bookmark file failed, ERR:find Bookmarks failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Microsoft Edge find cookie file failed, ERR:find Cookies failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:185: error Firefox find bookmark file failed, ERR:find places.sqlite failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:185: error Firefox find cookie file failed, ERR:find cookies.sqlite failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:185: error Firefox find history file failed, ERR:find places.sqlite failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:179: error Firefox find password file failed, ERR:find logins.json failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: cmd.go:53: error open C:\Users\test22/AppData/Local/Vivaldi/Local State: The system cannot find the path specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Vivaldi find bookmark file failed, ERR:find Bookmarks failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Vivaldi find cookie file failed, ERR:find Cookies failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Vivaldi find history file failed, ERR:find History failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Vivaldi find password file failed, ERR:find Login Data failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Chrome find bookmark file failed, ERR:find Bookmarks failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error 360speed find bookmark file failed, ERR:find Bookmarks failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error 360speed find cookie file failed, ERR:find Cookies failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error 360speed find history file failed, ERR:find History failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error 360speed find password file failed, ERR:find Login Data failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error qq find history file failed, ERR:find History failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error qq find password file failed, ERR:find Login Data failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error qq find bookmark file failed, ERR:find Bookmarks failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error qq find cookie file failed, ERR:find Cookies failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: cmd.go:53: error open C:\Users\test22/AppData/Local/BraveSoftware/Brave-Browser/User Data/Local State: The system cannot find the path specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Brave find bookmark file failed, ERR:find Bookmarks failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Brave find cookie file failed, ERR:find Cookies failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Brave find history file failed, ERR:find History failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Brave find password file failed, ERR:find Login Data failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: cmd.go:53: error open C:\Users\test22/AppData/Roaming/Opera Software/Opera Stable/Local State: The system cannot find the path specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Opera find bookmark file failed, ERR:find Bookmarks failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Opera find cookie file failed, ERR:find Cookies failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Opera find history file failed, ERR:find History failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Opera find password file failed, ERR:find Login Data failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: cmd.go:53: error open C:\Users\test22/AppData/Roaming/Opera Software/Opera GX Stable/Local State: The system cannot find the path specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error OperaGX find bookmark file failed, ERR:find Bookmarks failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error OperaGX find cookie file failed, ERR:find Cookies failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error OperaGX find history file failed, ERR:find History failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error OperaGX find password file failed, ERR:find Login Data failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: cmd.go:53: error open C:\Users\test22/AppData/Local/Google/Chrome Beta/User Data/Local State: The system cannot find the path specified. console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Chrome Beta find bookmark file failed, ERR:find Bookmarks failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Chrome Beta find cookie file failed, ERR:find Cookies failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Chrome Beta find history file failed, ERR:find History failed console_handle: 0x0000000000000007	1	1
WriteConsoleW April 23, 2021, 10:56 a.m.	buffer: browser.go:132: error Chrome Beta find password file failed, ERR:find Login Data failed console_handle: 0x0000000000000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sedata

Allocates read-write-execute memory (usually to unpack itself) (50 out of 316 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 15597568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000401000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3239936 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000401000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 3239936 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000401000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 151552 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000718000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 151552 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000718000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 262144 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001401000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000009a7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000009a7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 23, 2021, 10:56 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a03000 process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (50 out of 72 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Module Info Cache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Browser
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x004cec00', u'virtual_address': u'0x00001000', u'entropy': 7.999962156698545, u'name': u'.text', u'virtual_size': u'0x00ee0000'}

entropy

7.9999621567

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001c3200', u'virtual_address': u'0x00ee1000', u'entropy': 7.501179309897222, u'name': u'.sedata', u'virtual_size': u'0x001c4000'}

entropy

7.5011793099

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001000', u'virtual_address': u'0x010a6000', u'entropy': 7.980078559617388, u'name': u'.sedata', u'virtual_size': u'0x00001000'}

entropy

7.98007855962

description

A section with a high entropy has been found

entropy

0.999851466766

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress April 23, 2021, 10:56 a.m.	ordinal: 0 function_address: 0x000007feff017a50 function_name: wine_get_version module: ntdll module_address: 0x00000000771c0000		-1073741511	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36465501
FireEye	Generic.mg.787822a3f6e82ac5
McAfee	Artemis!787822A3F6E8
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.Win32.Agent.aa
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win64/NoobyProtect.6d3c67f1
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.3f6e82
Arcabit	Trojan.Generic.D22C6B5D
Cyren	W64/Trojan.EPOU-0169
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Generik.HLYBHYZ
TrendMicro-HouseCall	TROJ_GEN.R002H0CCB21
Avast	Win64:Trojan-gen
BitDefender	Trojan.GenericKD.36465501
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKD.36465501
Emsisoft	Trojan-PSW.Agent (A)
McAfee-GW-Edition	BehavesLike.Win64.Dropper.wc
Sophos	Mal/Generic-S
Ikarus	PUA.NoobyProtect
Avira	HEUR/AGEN.1113311
MAX	malware (ai score=81)
Gridinsoft	Trojan.Heur!.030D00A3
Microsoft	Trojan:Win32/Mamson.A!ac
GData	Trojan.GenericKD.36465501
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.36465501
Malwarebytes	Malware.AI.3567938588
APEX	Malicious
Rising	Stealer.Agent!8.C2 (TFE:dGZlOgaZ9O8mNlwf3g)
Fortinet	Riskware/Generik
Webroot	W32.Suspicious.Gen
AVG	Win64:Trojan-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	Win64/Trojan.Generic.H8oA0ScA

parse.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All