pat.exe

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.vmp0
section	.vmp1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://antimalwarebyte.xyz/collect.php

Performs some HTTP requests (1 event)

request

POST http://antimalwarebyte.xyz/collect.php

Sends data using the HTTP POST Method (1 event)

request

POST http://antimalwarebyte.xyz/collect.php

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 2, 2021, 4:11 p.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 2, 2021, 4:11 p.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Steals private information from local Internet browsers (2 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (7 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000000c0 process_name: mobsync.exe process_identifier: 3488	1	1	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000000c0 process_name: pw.exe process_identifier: 3516	1	1	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000000c0 process_name: taskhost.exe process_identifier: 7644	1	1	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000000c0 process_name: cmd.exe process_identifier: 9068	1	1	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000000c0 process_name: pw.exe process_identifier: 5628	1	1	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000000c0 process_name: pat.exe process_identifier: 8564	1	1	0
Process32NextW July 2, 2021, 4:11 p.m.	snapshot_handle: 0x000000c0 process_name: slui.exe process_identifier: 7680	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section	{u'size_of_data': u'0x005b6e00', u'virtual_address': u'0x003e9000', u'entropy': 7.964269757855913, u'name': u'.vmp1', u'virtual_size': u'0x005b6df0'}				entropy	7.96426975786				description	A section with a high entropy has been found
entropy	0.999743721169				description	Overall entropy of this PE file is high

The executable is likely packed with VMProtect (2 events)

section	.vmp0				description	Section name indicates VMProtect
section	.vmp1				description	Section name indicates VMProtect

Communicates with host for which no DNS query was performed (1 event)

host	172.217.25.14

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\wallet.dat
file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA July 2, 2021, 4:11 p.m.	key_handle: 0x00000248 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Harvests credentials from local FTP client softwares (10 events)

file	C:\Users\Default\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\Default User\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\Default\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\Public\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\Public\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\Default User\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\All Users\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\All Users\AppData\Roaming\FileZilla\recentservers.xml

Harvests information related to installed instant messenger clients (5 events)

file	C:\Users\All Users\AppData\Roaming\.purple\accounts.xml
file	C:\Users\Default User\AppData\Roaming\.purple\accounts.xml
file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file	C:\Users\Default\AppData\Roaming\.purple\accounts.xml
file	C:\Users\Public\AppData\Roaming\.purple\accounts.xml

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
McAfee	Artemis!571D311FC434
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (D)
K7GW	Trojan ( 7000001c1 )
K7AntiVirus	Trojan ( 7000001c1 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.VMProtect.VH
APEX	Malicious
Kaspersky	Trojan-PSW.Win32.HashCity.mf
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.tc
FireEye	Generic.mg.571d311fc434e77d
Sophos	Mal/Generic-R + Mal/VMProtBad-A
Ikarus	Trojan.Win32.VMProtect
Avira	TR/Crypt.XPACK.Gen
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Microsoft	Trojan:Win32/Tnega!ml
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Reputation.R426616
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34770.@BW@auesfFi
Malwarebytes	Malware.AI.2723236934
Rising	Trojan.Generic@ML.99 (RDML:ozipnu8w60GHoLYNBO6C6w)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Qihoo-360	HEUR/QVM19.1.4F0F.Malware.Gen