Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 7, 2024, 12:58 p.m.	Nov. 7, 2024, 1:07 p.m.

Size	10.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6630b14845f7d092bdedddc7ca62036f`
SHA256	`2d7a125b7f2b2b5577a22b3595d63eaff97fb7bf593327d9598aaf4f6015264d`
CRC32	`112360D7`
ssdeep	`196608:eOGlj18AnhS+g/2v2goLmwqvgFda7+LN2+4LDVTl/FuO7A0ZmoCGLVSeicSH5OQ9:Glj18AhS+42v2goLm/gFda7QYx/xTssK`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Everything.exe "C:\Users\test22\AppData\Local\Temp\Everything.exe"
2640
- Cheat.sfx.exe "C:\Users\test22\AppData\Local\Temp\Cheat.sfx.exe"
  2736
- tzidRecG.exe "C:\Users\test22\AppData\Local\Temp\tzidRecG.exe"
  2780
  - tzidRecG.exe "C:\Users\test22\AppData\Local\Temp\tzidRecG.exe"
    2972

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 7, 2024, 12:58 p.m.			0	0
IsDebuggerPresent Nov. 7, 2024, 12:58 p.m.			0	0
IsDebuggerPresent Nov. 7, 2024, 12:59 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 7, 2024, 12:58 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 7, 2024, 12:59 p.m.	stacktrace: 0x7fe94366c3f 0x7fe94365020 0x7fe943621b5 mscorlib+0x4ef8a5 @ 0x7fef285f8a5 mscorlib+0x4ef609 @ 0x7fef285f609 mscorlib+0x4ef5c7 @ 0x7fef285f5c7 mscorlib+0x502d21 @ 0x7fef2872d21 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a1f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a1f242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef3a1f30b NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef3be6291 DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef3ac6d80 DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef3ac6d0e DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef3ac6c85 DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef3ac6dbb NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef3be6175 StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef3b566ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 8b 41 08 83 f8 01 7d 09 33 c0 e9 e4 00 00 00 66 exception.instruction: mov eax, dword ptr [rcx + 8] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe94366c3f registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 1024 registers.rbx: 0 registers.rsp: 469105840 registers.r11: 38792016 registers.r8: 469098080 registers.r9: 1992879112223 registers.rdx: 38791840 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 7, 2024, 12:59 p.m.

stacktrace:

0x7fe94366c3f
0x7fe94365020
0x7fe943621b5
mscorlib+0x4ef8a5 @ 0x7fef285f8a5
mscorlib+0x4ef609 @ 0x7fef285f609
mscorlib+0x4ef5c7 @ 0x7fef285f5c7
mscorlib+0x502d21 @ 0x7fef2872d21
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a1f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a1f242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef3a1f30b
NGenCreateNGenWorker+0x682d _AxlPublicKeyBlobToPublicKeyToken-0x409df clr+0x216291 @ 0x7fef3be6291
DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef3ac6d80
DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef3ac6d0e
DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef3ac6c85
DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef3ac6dbb
NGenCreateNGenWorker+0x6711 _AxlPublicKeyBlobToPublicKeyToken-0x40afb clr+0x216175 @ 0x7fef3be6175
StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef3b566ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 8b 41 08 83 f8 01 7d 09 33 c0 e9 e4 00 00 00 66
exception.instruction: mov eax, dword ptr [rcx + 8]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe94366c3f
registers.r14: 0
registers.r15: 0
registers.rcx: 0
registers.rsi: 0
registers.r10: 1024
registers.rbx: 0
registers.rsp: 469105840
registers.r11: 38792016
registers.r8: 469098080
registers.r9: 1992879112223
registers.rdx: 38791840
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 54 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000830000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef406b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000830000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9423a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94316000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9424c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9425b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9423b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9424d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9424e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9424f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9424a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9425d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94361000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9423c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94362000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94363000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94364000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94232000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 12:58 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94365000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Browser
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version

Creates executable files on the filesystem (48 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\DllCheat.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\libcrypto-3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\python312.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\VCRUNTIME140_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\libffi-8.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\tzidRecG.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\pywin32_system32\pywintypes312.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI27802\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\Cheat.sfx.exe

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\Cheat.sfx.exe
file	C:\Users\test22\AppData\Local\Temp\tzidRecG.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\DllCheat.exe
file	C:\Users\test22\AppData\Local\Temp\Cheat.sfx.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00014800', u'virtual_address': u'0x0006b000', u'entropy': 7.418340020698796, u'name': u'.rsrc', u'virtual_size': u'0x00014710'}

entropy

7.4183400207

description

A section with a high entropy has been found

entropy

0.275167785235

description

Overall entropy of this PE file is high

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealer.12!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Skyhigh	BehavesLike.Win32.Generic.vc
ALYac	Trojan.Generic.36909085
Cylance	Unsafe
VIPRE	Trojan.Generic.36909085
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	Trojan.Generic.36909085
K7GW	Riskware ( 0040eff71 )
K7AntiVirus	Riskware ( 0040eff71 )
Arcabit	Trojan.Generic.D233301D
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Spy.Agent.EOC
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Dropper.Nanocore-9986456-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	TrojanSpy:MSIL/PhemedroneStealer.65f4f767
NANO-Antivirus	Trojan.Win32.Nekark.ksmkbr
MicroWorld-eScan	Trojan.Generic.36909085
Rising	Stealer.Phemedrone!1.F3D5 (CLASSIC)
Emsisoft	Trojan.Generic.36909085 (B)
F-Secure	Trojan.TR/AD.Nekark.cxjkc
DrWeb	Trojan.PWS.Stealer.40208
Zillya	Trojan.KillMBR.Win32.1338
TrendMicro	TROJ_GEN.R002C0DJ524
McAfeeD	ti!2D7A125B7F2B
CTX	exe.trojan.msil
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.6630b14845f7d092
Google	Detected
Avira	TR/AD.Nekark.ywnly
Kingsoft	Win32.Troj.Unknown.a
Microsoft	TrojanSpy:MSIL/PhemedroneStealer.SK!MTB
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Stealer.gen
GData	Trojan.Generic.36909085
Varist	W32/MSIL_Agent.FUM.gen!Eldorado
AhnLab-V3	Trojan/Win.Agent.C5629568
McAfee	Artemis!6630B14845F7
DeepInstinct	MALICIOUS
VBA32	Trojan.Zenpak
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan-Spy.RedLineStealer
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DJ524

Everything.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All