Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 1, 2024, 8:46 a.m.	Aug. 1, 2024, 8:48 a.m.

Size	4.9MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`8f307a5db76ea7573f1824d852178c0c`
SHA256	`ebb4dedf0806b2b7ec4cdd0e685c38333d2669a8dab614721c0eb81c7333c68a`
CRC32	`DC50317B`
ssdeep	`98304:0qwZBLUlpN/YrZIuVZpLIyT2blKOiTlraDKQf7pRHwawycS:0qwZBwlpKZIYux4rZM7pRXCS`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library Win32_WinRAR_SFX_Zero - Win32 WinRAR SFX PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

NO.exe "C:\Users\test22\AppData\Local\Temp\NO.exe"
2548
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.didat
section	_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 1, 2024, 8:38 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Aug. 1, 2024, 8:40 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (23 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\xpdApi.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\boost_json-vc143-mt-x64-1_83.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\zlib1.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\msvcpcore.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\msvcp140_atomic_wait.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\msvcp140_2.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\NOO.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\bz2.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\WebView2Loader.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\boost_program_options-vc143-mt-x64-1_83.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\cpprest_2_10.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\CDS.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\concrt140.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\msvcp140_codecvt_ids.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\olknh.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\msvcp140_1.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\zip.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\nh.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\win32gql.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\SeamlessLaunch.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\msvcp140.dll

Creates hidden or system file (23 events)

Time & API	Arguments	Status	Return
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: WebView2Loader.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\WebView2Loader.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: win32gql.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\win32gql.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: xpdApi.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\xpdApi.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: zip.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\zip.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: zlib1.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\zlib1.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: boost_json-vc143-mt-x64-1_83.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\boost_json-vc143-mt-x64-1_83.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: boost_program_options-vc143-mt-x64-1_83.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\boost_program_options-vc143-mt-x64-1_83.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: bz2.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\bz2.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: CDS.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\CDS.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: concrt140.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\concrt140.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: cpprest_2_10.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\cpprest_2_10.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: msvcp140.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\msvcp140.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: msvcp140_1.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\msvcp140_1.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: msvcp140_2.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\msvcp140_2.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: msvcp140_atomic_wait.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\msvcp140_atomic_wait.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: msvcp140_codecvt_ids.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\msvcp140_codecvt_ids.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: msvcpcore.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\msvcpcore.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: nh.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\nh.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: NOO.exe filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\NOO.exe	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: olknh.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\olknh.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: SeamlessLaunch.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\SeamlessLaunch.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: vcruntime140.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\vcruntime140.dll	1	1
SetFileAttributesW Aug. 1, 2024, 8:38 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: vcruntime140_1.dll filepath: C:\Users\test22\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll	1	1

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\NOO.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\NOO.exe

NO.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All