Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 12, 2021, 8:58 p.m.	June 12, 2021, 9:03 p.m.

Size	175.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`0013b42646adc1c1f36a7f14573a608a`
SHA256	`eb5fc27c49c8b0da671e5aed5363774eafd9c2941577263e8d5fcb459f7110c8`
CRC32	`8B15513A`
ssdeep	`3072:X8vALsQKiUkTUT5DCfiwD569a/bN1C+6YAMY:X8vqsQKEsoI9a++6ZM`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description) Win_Backdoor_njRAT_1_Zero - Win Backdoor njRAT

I-Record.exe "C:\Users\test22\AppData\Local\Temp\I-Record.exe"
4244

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 12, 2021, 8:58 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 12, 2021, 8:58 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (48 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000690000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2461000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26de000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26de000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26e0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef26de000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00112000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0002c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00024000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00161000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0003f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00162000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00074000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00025000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00026000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00163000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 12, 2021, 8:58 p.m.	process_identifier: 4244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Elastic	malicious (high confidence)
ClamAV	Win.Trojan.Generickdz-9869295-0
FireEye	Generic.mg.0013b42646adc1c1
CAT-QuickHeal	PUA.CsdimonetizeFC.S20328059
McAfee	GenericRXAA-FA!0013B42646AD
Cylance	Unsafe
Sangfor	Adware.Win32.Csdi.gen
K7AntiVirus	Adware ( 005684bb1 )
BitDefender	Trojan.GenericKDZ.75496
K7GW	Adware ( 005684bb1 )
Cybereason	malicious.756933
BitDefenderTheta	Gen:NN.ZemsilF.34738.km0@a8iYBvl
Cyren	W32/Trojan.GHH.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Adware.CsdiMonetize.BC
APEX	Malicious
Avast	FileRepMalware [PUP]
Cynet	Malicious (score: 100)
Kaspersky	not-a-virus:HEUR:AdWare.MSIL.Csdi.gen
Alibaba	AdWare:MSIL/CsdiMonetize.e374bdf0
NANO-Antivirus	Riskware.Win32.CsdiMonetize.iwewlj
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Agent.179200.ZI
MicroWorld-eScan	Trojan.GenericKDZ.75496
Tencent	Msil.Adware.Csdi.Jz
Ad-Aware	Trojan.GenericKDZ.75496
Emsisoft	Trojan.GenericKDZ.75496 (B)
VIPRE	MSIL.Adware.CsdiMonetize
TrendMicro	TROJ_GEN.R002C0GF721
McAfee-GW-Edition	Artemis!Trojan
Sophos	Generic PUA JE (PUA)
Jiangmin	AdWare.MSIL.njsb
Webroot	W32.Trojan.Gen
Avira	TR/Dropper.Gen
Microsoft	Trojan:Win32/ScarletFlash.A
Gridinsoft	Trojan.Win32.Agent.ns
AegisLab	Adware.MSIL.Csdi.2!c
GData	Trojan.GenericKDZ.75496
AhnLab-V3	Malware/Win32.Generic.C4384961
VBA32	TScope.Trojan.MSIL
ALYac	Trojan.GenericKDZ.75496
MAX	malware (ai score=83)
Malwarebytes	Adware.Csdimonetize
TrendMicro-HouseCall	TROJ_GEN.R002C0GF721
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	Adware/CsdiMonetize
AVG	FileRepMalware [PUP]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_60% (W)

I-Record.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All