Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 14, 2021, 1:41 p.m.	June 14, 2021, 1:52 p.m.

Size	375.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`b97b650ca091ac961cf92c1a071d5625`
SHA256	`7247a615b6fe4bad954c3b15691e4cdf308fca5075444b326bd5e4c101dd39ba`
CRC32	`FC345AFA`
ssdeep	`6144:2fMG9RFsULVxbPEdGV0AIsBVjvx9/LB6pK9:ZGV5bYGdIsDvx`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

csgo%20cheat%20new%2001062021.exe "C:\Users\test22\AppData\Local\Temp\csgo%20cheat%20new%2001062021.exe"
4884

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 14, 2021, 1:41 p.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 14, 2021, 1:41 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 14, 2021, 1:41 p.m.	process_identifier: 4884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 14, 2021, 1:41 p.m.	process_identifier: 4884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 65 events)

Time & API	Arguments	Status	Return
Process32FirstW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: [System Process] process_identifier: 0	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: System process_identifier: 4	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: smss.exe process_identifier: 224	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: csrss.exe process_identifier: 300	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: wininit.exe process_identifier: 348	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: winlogon.exe process_identifier: 396	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: services.exe process_identifier: 440	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: lsass.exe process_identifier: 456	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: lsm.exe process_identifier: 464	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: svchost.exe process_identifier: 568	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: svchost.exe process_identifier: 640	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: svchost.exe process_identifier: 700	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: svchost.exe process_identifier: 776	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: svchost.exe process_identifier: 968	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: svchost.exe process_identifier: 264	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: spoolsv.exe process_identifier: 820	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: svchost.exe process_identifier: 1192	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: srvany.exe process_identifier: 1244	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: taskhost.exe process_identifier: 1284	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: KMService.exe process_identifier: 1324	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: conhost.exe process_identifier: 1376	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: sppsvc.exe process_identifier: 1800	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: svchost.exe process_identifier: 1876	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: dwm.exe process_identifier: 1496	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: explorer.exe process_identifier: 1848	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: SearchIndexer.exe process_identifier: 2548	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: thunderbird.exe process_identifier: 3960	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: pw.exe process_identifier: 5008	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: taskeng.exe process_identifier: 7784	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: pw.exe process_identifier: 7748	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: taskhost.exe process_identifier: 4836	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: SearchProtocolHost.exe process_identifier: 8400	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: SearchFilterHost.exe process_identifier: 7772	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: csgo%20cheat%20new%2001062021.exe process_identifier: 4884	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: svchost.exe process_identifier: 8408	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: WerFault.exe process_identifier: 6080	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: csgo%20cheat%20new%2001062021.exe process_identifier: 8004	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: cmd.exe process_identifier: 4804	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: conhost.exe process_identifier: 1904	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: pw.exe process_identifier: 6176	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000190 process_name: cmd.exe process_identifier: 7276	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000190 process_name: conhost.exe process_identifier: 6140	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000190 process_name: pw.exe process_identifier: 7808	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000194 process_name: cmd.exe process_identifier: 3788	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000194 process_name: conhost.exe process_identifier: 5988	1	1
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000194 process_name: pw.exe process_identifier: 6940	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00028c00', u'virtual_address': u'0x00081000', u'entropy': 7.92062980619847, u'name': u'UPX1', u'virtual_size': u'0x00029000'}

entropy

7.9206298062

description

A section with a high entropy has been found

entropy

0.435828877005

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 1663 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: WerFault.exe process_identifier: 6080		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: WerFault.exe process_identifier: 6080		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0
Process32NextW June 14, 2021, 1:41 p.m.	snapshot_handle: 0x00000184 process_name: audiodg.exe process_identifier: 6456		0	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess June 14, 2021, 1:41 p.m.	status_code: 0x00000000 process_identifier: 1848 process_handle: 0x00000188		0	0
NtTerminateProcess June 14, 2021, 1:41 p.m.	status_code: 0x00000000 process_identifier: 1848 process_handle: 0x00000188	1	0	0

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell				reg_value	C:\Users\test22\AppData\Local\Temp\csgo%20cheat%20new%2001062021.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\userini				reg_value	C:\Users\test22\AppData\Local\Temp\csgo%20cheat%20new%2001062021.exe

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.Winlock.14393
MicroWorld-eScan	Gen:Variant.Graftor.276772
FireEye	Generic.mg.b97b650ca091ac96
CAT-QuickHeal	Ransom.Somhoveran.C8
McAfee	Artemis!B97B650CA091
Cylance	Unsafe
Zillya	Trojan.Gimemo.Win32.8819
Sangfor	Ransom.Win32.Gandcrab_12.se
K7AntiVirus	Trojan ( 00577e601 )
Alibaba	Ransom:Win32/Gimemo.ddf92878
K7GW	Trojan ( 00577e601 )
Cybereason	malicious.ca091a
BitDefenderTheta	AI:Packer.9E12973D20
Cyren	W32/A-32df3ff0!Eldorado
Symantec	SMG.Heur!gen
ESET-NOD32	Win32/LockScreen.AWI
APEX	Malicious
Avast	Win32:Agent-ATUS [Trj]
ClamAV	Win.Ransomware.Gimemo-6725202-0
Kaspersky	Trojan-Ransom.Win32.Gimemo.cdqu
BitDefender	Gen:Variant.Graftor.276772
NANO-Antivirus	Trojan.Win32.Gimemo.foalcc
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Gimemo.384000.A
Tencent	Ransom.Win32.Gmie.a
Ad-Aware	Gen:Variant.Graftor.276772
Emsisoft	Gen:Variant.Graftor.276772 (B)
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Mal_LockScreen
McAfee-GW-Edition	GenericRXEQ-QT!CEEFDA1C7947
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.Gimemo.tj
MaxSecure	Trojan.Malware.9553181.susgen
Avira	TR/Strictor.oiuya
MAX	malware (ai score=100)
Kingsoft	Heur.SSC.2686244.1216.(kcloud)
Microsoft	Ransom:Win32/Somhoveran
Gridinsoft	Ransom.Win32.Gandcrab.sa
Arcabit	Trojan.Graftor.D43924
AegisLab	Trojan.Win32.Gimemo.j!c
ZoneAlarm	Trojan-Ransom.Win32.Gimemo.cdqu
GData	Win32.Trojan-Ransom.Somhoveran.A
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Gimemo.R334889
VBA32	TScope.Trojan.Delf
ALYac	Gen:Variant.Graftor.276772
Malwarebytes	Ransom.Winlock

csgo%20cheat%20new%2001062021.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All