Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 18, 2025, 11:47 a.m.	April 18, 2025, 11:50 a.m.

Size	2.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5	`e24d2cdf95e080f2b6a1db32352d8a3c`
SHA256	`d2f9dc8e7278a2ec0aa634536ac8d23db209aba8ca0e109ce80469c27517ab33`
CRC32	`38057581`
ssdeep	`49152:XMHaSOxCBcuLX54FiFdrAskBlVgEKEZv5zauP+Tx77KZbYj57O7Tfle:XM6FMBcuEEdrAstEnv53P+xhOfM`
PDB Path	d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

snd16061.exe "C:\Users\test22\AppData\Local\Temp\snd16061.exe"
2548
- client32.exe "C:\Users\test22\AppData\Roaming\WinSupUpdata\client32.exe"
  2680
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
geo.netsupportsoftware.com	A 172.67.68.212 A 104.26.1.231 A 104.26.0.231	172.67.68.212
Jalalymola11.com
Jalalymola17.com	A 5.10.250.240	5.10.250.244

IP Address	Status	Action
104.26.1.231	Active	Moloch
164.124.101.2	Active	Moloch
5.10.250.240	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 104.26.1.231:80	2034559	ET POLICY NetSupport GeoLocation Lookup Request	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 18, 2025, 11:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2025, 11:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 18, 2025, 11:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2025, 11:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2025, 11:47 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 18, 2025, 11:47 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geo.netsupportsoftware.com/location/loca.asp

Performs some HTTP requests (1 event)

request

GET http://geo.netsupportsoftware.com/location/loca.asp

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73394000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73441000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72af1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ab1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2025, 11:48 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74171000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73570000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73540000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72cb4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2025, 11:47 a.m.	process_identifier: 2680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b11000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

client32.exe tried to sleep 252 seconds, actually delayed analysis time by 252 seconds

Creates executable files on the filesystem (10 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunns.ini.lnk
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\PCICHEK.DLL
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\PCICL32.DLL
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\client32.exe
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\pcicapi.dll
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\msvcr100.dll
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\remcmdstub.exe
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\HTCTL32.DLL
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\TCCTL32.DLL
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\AudioCapture.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunns.ini.lnk

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\WinSupUpdata\client32.exe

Drops an executable to the user AppData folder (9 events)

file	C:\Users\test22\AppData\Roaming\WinSupUpdata\HTCTL32.DLL
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\TCCTL32.DLL
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\AudioCapture.dll
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\remcmdstub.exe
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\PCICL32.DLL
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\client32.exe
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\msvcr100.dll
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\pcicapi.dll
file	C:\Users\test22\AppData\Roaming\WinSupUpdata\PCICHEK.DLL

Executes one or more WMI queries (2 events)

wmi	SELECT * FROM Win32_SystemEnclosure
wmi	SELECT * FROM Win32_ComputerSystem

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0003ee00', u'virtual_address': u'0x00026000', u'entropy': 7.228872164091266, u'name': u'.rsrc', u'virtual_size': u'0x0003ed3c'}

entropy

7.22887216409

description

A section with a high entropy has been found

entropy

0.760968229955

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 18, 2025, 11:47 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA April 18, 2025, 11:47 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3F709462-4AD7-482F-8761-C6ED6AD145A1} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3F709462-4AD7-482F-8761-C6ED6AD145A1}	2
RegOpenKeyExA April 18, 2025, 11:47 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C412F191-BB15-4e40-9CCC-97E571D2C6BF} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C412F191-BB15-4e40-9CCC-97E571D2C6BF}	2
RegOpenKeyExA April 18, 2025, 11:47 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020119 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF}	2
RegOpenKeyExA April 18, 2025, 11:47 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF} base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF}	2

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_ComputerSystem

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunns.ini.lnk

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

5.10.250.240:3388

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.ChePro.7!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Ghanarava.17327817752d8a3c
Skyhigh	Netsupportrat.d
ALYac	Trojan.GenericKD.49232004
Cylance	Unsafe
VIPRE	Trojan.GenericKD.49232004
Sangfor	Banker.Win32.Chepro.Veh9
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.49232004
K7GW	Unwanted-Program ( 005b7e0c1 )
K7AntiVirus	Unwanted-Program ( 005b7e0c1 )
Arcabit	Trojan.Generic.D2EF3884
Symantec	Trojan.Gen.MBT
Elastic	malicious (moderate confidence)
ESET-NOD32	multiple detections
Avast	Other:Malware-gen [Trj]
Kaspersky	Trojan-Banker.Win32.ChePro.nixe
Alibaba	TrojanBanker:Win32/ChePro.d140eff8
NANO-Antivirus	Trojan.Win32.ChePro.jpnujo
MicroWorld-eScan	Trojan.GenericKD.49232004
Emsisoft	Trojan.GenericKD.49232004 (B)
F-Secure	Trojan.TR/Spy.ChePro.zxgsm
DrWeb	Trojan.Siggen30.50191
Zillya	Tool.NetSup.Win32.41
McAfeeD	ti!D2F9DC8E7278
CTX	exe.trojan.chepro
Sophos	Mal/Generic-S
FireEye	Trojan.GenericKD.49232004
Jiangmin	RemoteAdmin.NetSup.ai
Google	Detected
Avira	TR/Spy.ChePro.zxgsm
Antiy-AVL	RiskWare/Win32.Agent
Kingsoft	Win32.Troj.Generic.jm
Xcitium	Malware@#1zi5aixmnm5u8
Microsoft	HackTool:Win32/RemoteAdmin!MTB
GData	Trojan.GenericKD.49232004
Varist	W32/Tool.EQYN-2153
AhnLab-V3	Backdoor/Win.NetSupport.C5371154
McAfee	Artemis!E24D2CDF95E0
DeepInstinct	MALICIOUS
VBA32	Trojan.Tiggre
Malwarebytes	RiskWare.NetSupport.RAT
Ikarus	Trojan.Win32.Netsupportmanager
Panda	Trj/CI.A
Zoner	Trojan.Win32.153309
Tencent	Win32.Trojan-Banker.Chepro.Simw
Yandex	Riskware.RemoteAdmin!myez5VmqQPE
MaxSecure	Trojan.Malware.1728101.susgen

snd16061.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All