Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 31, 2024, 10:03 a.m.	May 31, 2024, 10:12 a.m.

Size	11.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3d5fa6d9aa8cf0087e59296463598c2e`
SHA256	`2ba75db3ee21d26878eb02ce7aa6b01e334fd7a811809ff2d0fd6cf5736890ba`
CRC32	`970134E4`
ssdeep	`196608:ZDxmNUHnMa8w2PsKp1p8kI+Ogkn8sheTjc9wPFi7D9uxwxHPDi+/u:ZDxmN2ewMsg1p8kZW9eTQ9wAMiveL`
PDB Path	d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware

A.I_1003H.exe "C:\Users\test22\AppData\Local\Temp\A.I_1003H.exe"
2104
- A.I.exe "C:\Users\test22\AppData\Local\Temp\RarSFX0\A.I.exe"
  2196
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\A.I_Run.cmd" "
    2384
    - sc.exe sc stop PcaSvc
      2476
    - takeown.exe takeown /f C:\Windows\Sysnative\sfc.exe
      2528
    - icacls.exe icacls C:\Windows\Sysnative\sfc.exe /t /deny everyone:f
      2576

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 31, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 31, 2024, 10:01 a.m.	buffer: └ß╜├╕╕ ▒Γ┤┘╖┴ ┴╓╝╝┐Σ! ... console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 10:01 a.m.	buffer: └ß╜├╕╕ ▒Γ┤┘╖┴ ┴╓╝╝┐Σ! ... console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 10:01 a.m.	buffer: Microsoft Windows Activator A.I Main V_1003H A.I console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 10:01 a.m.	buffer: 1) Windows Auto Activator 2) Slic2.1 Bios Install console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 10:01 a.m.	buffer: 3) Windows Manual Activator 4) Windows XP Activator console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 10:01 a.m.	buffer: 5) Windows Vista Activator 6) Server 2008 Activator console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 10:01 a.m.	buffer: 7) Windows 7 Activator 8) Server R2 Activator console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 10:01 a.m.	buffer: G) Microsoft WGA OGA Genuine O) Option Utility B) Bios console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 10:01 a.m.	buffer: C) Activation Check T) tokens R) Restoration H) Help console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 10:01 a.m.	buffer: . ┐°╟╧┤┬ ╝▒┼├└╗ └╘╖┬╚─ ┐ú┼═┼░╕ª ┤⌐╕ú╝╝┐Σ : console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 10:01 a.m.	buffer: C:\Windows\Sysnative\LogFiles\WMI\RtBackup\* console_handle: 0x0000000b	1	1
WriteConsoleW May 31, 2024, 10:01 a.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1

This executable has a PDB path (1 event)

pdb_path

d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 31, 2024, 10:01 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73eb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:01 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (12 events)

name

RT_BITMAP

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0002a57c

size

0x00000bb6

name

RT_DIALOG

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00040fdc

size

0x000001ba

name

RT_DIALOG

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00040fdc

size

0x000001ba

name

RT_DIALOG

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00040fdc

size

0x000001ba

name

RT_DIALOG

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00040fdc

size

0x000001ba

name

RT_DIALOG

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00040fdc

size

0x000001ba

name

RT_DIALOG

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00040fdc

size

0x000001ba

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00041664

size

0x00000196

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00041664

size

0x00000196

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00041664

size

0x00000196

name

RT_STRING

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x00041664

size

0x00000196

name

RT_MANIFEST

language

LANG_KOREAN

filetype

XML 1.0 document, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_KOREAN

offset

0x00041890

size

0x000005b8

Creates executable files on the filesystem (50 out of 215 events)

file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\KMSkey.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\KmsServer\KmsServer3.reg
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\SLIC2.1DHIDDEN1.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\RemoveWatermark\20090314\RemoveWatermarkX86.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\wga\wga.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\SLIC2.1STHIDDEN1.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\AutoB.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\Tel_ID.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\SLIC2.1D.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\R2SLIC2.1.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\Registry.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\SLIC2.1ST.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\DWM.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\SLIC.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\KmsServer\KmsServer2.reg
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\R\x64\SysWOW64\user32.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\XPGenuine\wga2.reg
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\SLIC2.1D.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\SLIC2.1DHIDDEN2.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\Restoration.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\ShortcutpatchR.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\Shortcutpatch.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\R\x64\System32\systemcpl.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\SLICINSTALLCHECK.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\dwm\x64\dwm.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\SLIC2.1SIHIDDEN2.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\Help.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\Cert.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\R\x64\System32\sppcomapi.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\SLIC2.1SIHIDDEN2.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\VistaRestoration.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\Temp.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\dwm\x86\uDWM.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\x64\System32\user32.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\x86\System32\sppcomapi.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\A.I_Run.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\x86\System32\systemcpl.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\TakeOwnershipInstall.reg
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\KMSOptimizer.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\Sever2008key.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\R\x86\System32\systemcpl.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\RemoveWatermark\20090331\RemoveWatermarkX86.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\RegistryX64.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\SLIC2.1\BIOS.vbs
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\x64\SysWOW64\sppcomapi.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\x64\System32\slmgr.vbs
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\R\x86\System32\sppcomapi.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\TakeOwnership.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\dwm\DWMR.reg
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\RemoveWatermark\20090509\RemoveWatermarkX64.exe

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\A.I.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\A.I_Run.cmd

Drops an executable to the user AppData folder (49 events)

file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\RemoveWatermark\20090331\RemoveWatermarkX86.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\R\x86\System32\systemcpl.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\SLIC2.1\RSimulation.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\SLIC2.1\Simulation.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\x86\System32\user32.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x86\System32\ko-KR\Display.dll.mui
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\wga\WgaLogon.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\R\x86\System32\sppcomapi.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x86\System32\ko-KR\shell32.dll.mui
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\SLIC2.1\bootinst.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\7tokens.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\SLIC2.1\bootrest.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\x86\System32\sppcomapi.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\Vistatokens.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\wga\LegitCheckControl.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\A.I.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\Temp.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\winsxs\x86_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_6d88dfdedf2ef7a4\Display.dll.mui
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\R\x64\SysWOW64\user32.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\x64\SysWOW64\systemcpl.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\R\x86\System32\user32.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\VBS\HS.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\7Loader.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\SLIC2.1\BIOS.EXE
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\RegistryX64.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\dwm\x86\uDWM.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\x64\System32\sppcomapi.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\SysWOW64\ko-KR\shell32.dll.mui
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\wga\OGACheckControl.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\ReadyFor4GB\viewmem-x86.sys
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\dwm\x86\original\uDWM.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\dwm\x86\original\dwm.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\x64\SysWOW64\user32.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\SLIC2.1\boot.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\XPGenuine\winlogon.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\wga\WgaTray.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\Registry.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\VistaBootPro.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\ReadyFor4GB\ReadyFor4GB.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\RemoveWatermark\20090117\RemoveWatermarkX86.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\Keyfinder.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\RemoveWatermark\20090314\RemoveWatermarkX86.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\dwm\x86\dwm.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\RemoveWatermark\20090509\RemoveWatermarkX86.exe
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Forever\x86\System32\systemcpl.dll
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\R\x64\SysWOW64\ko-KR\shell32.dll.mui
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Option\TemporaryAuto.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00018000', u'virtual_address': u'0x0002a000', u'entropy': 7.4589557735442344, u'name': u'.rsrc', u'virtual_size': u'0x00017e48'}

entropy

7.45895577354

description

A section with a high entropy has been found

entropy

0.637873754153

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 31, 2024, 10:01 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

sc stop PcaSvc

Attempts to stop active services (1 event)

Time & API	Arguments	Status	Return	Repeated
ControlService May 31, 2024, 10:01 a.m.	service_handle: 0x0042f8c8 service_name: PcaSvc control_code: 1	1	1	0

Drops 100 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 100 events)

file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\Cert.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\Option.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\ReadyFor4GB.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\SLIC2.1SIHIDDEN2.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\Restoration.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\SLIC2.1ST.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\Restoration.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\SLIC2.1SIBOOTMGR.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\7Forever.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\R2Forever.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\SLIC2.1\Makegrldr2-2
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\SLIC2.1STVFD.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\SLIC2.1SIHIDDEN1.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\Windows7Optimizer.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\R2Forever.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\SLIC2.1SIHIDDEN1.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\SLIC2.1DBASIC.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\SLIC2.1DHIDDEN1.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\SLIC2.1\Samsung.bin
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\R2Optimizer.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\Adm.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\KMS.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\R2SLIC2.1.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\KMS.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\Server2008.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\SLIC2.1STBASIC.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\Cert2.1.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\7RetailOPT.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\Cert.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\Vista.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\SLIC2.1U.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\7Retail.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\DWM.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\key.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\AutoB.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\KMSOptimizer.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\SLIC2.1DBOOTMGR.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\AutoB.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\Help.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\VistaRestoration.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\SLIC2.1STBOOTMGR.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\SLIC2.1SIBASIC.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\SLIC2.1SIBASIC.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\R2Optimizer.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\SLIC2.1SIVFD.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\SLIC2.1SIVFD.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\Hibernation.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\Auto.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source\TakeOwnership.cmd
file	C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\data\Source64\SLIC2.1D.cmd

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

icacls C:\Windows\Sysnative\sfc.exe /t /deny everyone:f

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.Common.3A017B64
Lionic	Trojan.Win32.Fsysna.4!c
Elastic	malicious (moderate confidence)
Skyhigh	BehavesLike.Win32.Sality.wc
ALYac	Misc.HackTool.WinActivator
Cylance	unsafe
VIPRE	Trojan.GenericKD.4457434
Sangfor	PUP.Win32.Agent.Vewe
K7AntiVirus	Riskware ( 0040eff71 )
BitDefender	Trojan.GenericKD.4457434
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.9aa8cf
Arcabit	Trojan.Generic.D4403DA
VirIT	Trojan.Win32.Generic.CEBR
Symantec	Hacktool.Kms
ESET-NOD32	a variant of Win32/Packed.FlyStudio potentially unwanted
McAfee	Artemis!3D5FA6D9AA8C
Avast	Win32:MiscX-gen [PUP]
ClamAV	Win.Malware.Agent-6371164-0
Kaspersky	Trojan.Win32.Fsysna.fcwp
Alibaba	Trojan:Win32/HiddenStart.e456f989
NANO-Antivirus	Trojan.Win32.Diple.dhccqd
MicroWorld-eScan	Trojan.GenericKD.4457434
Emsisoft	Trojan.GenericKD.4457434 (B)
DrWeb	Trojan.PWS.Siggen1.45571
TrendMicro	TROJ_FRS.0NA003H718
McAfeeD	ti!2BA75DB3EE21
FireEye	Generic.mg.3d5fa6d9aa8cf008
Sophos	Generic Reputation PUA (PUA)
Ikarus	Trojan.ATRAPS
Jiangmin	Trojan/Diple.wde
Webroot	W32.Malware.Gen
MAX	malware (ai score=100)
Kingsoft	Win32.Trojan.Fsysna.fcwp
Gridinsoft	Hack.Win32.Patcher.ns
Xcitium	TrojWare.Win32.Downloader.FraudLoad.R@1cogfd
ViRobot	HackTool.WindowsActivator.11980543
ZoneAlarm	Trojan.Win32.Fsysna.fcwp
GData	Win32.Application.HStart.A
Google	Detected
AhnLab-V3	HackTool/Win32.Crack.C456990
DeepInstinct	MALICIOUS
VBA32	TScope.Trojan.Delf
Malwarebytes	HackTool.WpaKill
TrendMicro-HouseCall	TROJ_FRS.0NA003H718
Tencent	Win32.Trojan.Generic.A0b7
Yandex	Trojan.Agent!I3pNDh9G1KU
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.2588.susgen
Fortinet	Riskware/WinActivator

A.I_1003H.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All