Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 30, 2025, 1:29 p.m.	April 30, 2025, 1:32 p.m.

Size	10.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fd2baa8f4a912025dd49c1da504ca352`
SHA256	`752dd7563038241bd57990937e5e55d0b5e105b32964ba1b1952e5ec56ae0cdc`
CRC32	`8DAA31C2`
ssdeep	`196608:TUEfUIxAumeCM1FFEAt64JdBT9hyWc3hH+pq0W8/LayuTcTBXYPfTk9Kvzq35:TU1qA1eCMDFE+JHTbd0hHoW8ZwcdXsKt`
Yara	PE_Header_Zero - PE File Signature ASPack_Zero - ASPack packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

ui.exe "C:\Users\test22\AppData\Local\Temp\ui.exe"
184
- ui.exe "C:\Users\test22\AppData\Local\Temp\ui.exe"
  2144

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 30, 2025, 1:29 p.m.		1	1	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ April 30, 2025, 1:30 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x745577b7 MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15 MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57 ui+0x24e2 @ 0x8a24e2 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x74373f46 registers.esp: 4287664 registers.edi: 0 registers.eax: 1949777734 registers.ebp: 4287704 registers.edx: 0 registers.ebx: 0 registers.esi: 1949777734 registers.ecx: 11013480	1
__exception__ April 30, 2025, 1:30 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x745577b7 MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15 MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57 ui+0x24e2 @ 0x8a24e2 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x74373f46 registers.esp: 4287664 registers.edi: 0 registers.eax: 1949777734 registers.ebp: 4287704 registers.edx: 0 registers.ebx: 0 registers.esi: 1949777734 registers.ecx: 11013480	1
__exception__ April 30, 2025, 1:30 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25 ui+0x15b56 @ 0x8b5b56 ui+0x15b20 @ 0x8b5b20 ui+0x15c6c @ 0x8b5c6c ui+0xa425 @ 0x8aa425 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x750d3ef4 registers.esp: 4323344 registers.edi: 0 registers.eax: 9032184 registers.ebp: 4323372 registers.edx: 1 registers.ebx: 0 registers.esi: 6672704 registers.ecx: 1949644156	1

Time & API

Arguments

Status

Return

Repeated

__exception__

April 30, 2025, 1:30 p.m.

stacktrace:

GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f
New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x745577b7
MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15
MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57
ui+0x24e2 @ 0x8a24e2

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x74373f46
registers.esp: 4287664
registers.edi: 0
registers.eax: 1949777734
registers.ebp: 4287704
registers.edx: 0
registers.ebx: 0
registers.esi: 1949777734
registers.ecx: 11013480

__exception__

April 30, 2025, 1:30 p.m.

stacktrace:

GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f
New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x745577b7
MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15
MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57
ui+0x24e2 @ 0x8a24e2

__exception__

April 30, 2025, 1:30 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25
ui+0x15b56 @ 0x8b5b56
ui+0x15b20 @ 0x8b5b20
ui+0x15c6c @ 0x8b5c6c
ui+0xa425 @ 0x8aa425
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x750d3ef4
registers.esp: 4323344
registers.edi: 0
registers.eax: 9032184
registers.ebp: 4323372
registers.edx: 1
registers.ebx: 0
registers.esi: 6672704
registers.ecx: 1949644156

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI1842\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tk86t.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\python311.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl86t.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\libffi-8.dll

Drops an executable to the user AppData folder (19 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI1842\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\_decimal.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\select.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\libffi-8.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\_ssl.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\_socket.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\unicodedata.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl86t.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\python311.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tk86t.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\_uuid.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\_ctypes.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\_bz2.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\_hashlib.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\_queue.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\_lzma.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\_tkinter.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\libssl-1_1.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000f600', u'virtual_address': u'0x00044000', u'entropy': 7.555532167563682, u'name': u'.rsrc', u'virtual_size': u'0x0000f494'}

entropy

7.55553216756

description

A section with a high entropy has been found

entropy

0.222826086957

description

Overall entropy of this PE file is high

Appends a known multi-family ransomware file extension to files that have been encrypted (50 out of 80 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp852.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\koi8-r.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp862.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\euc-cn.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp950.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp1250.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\gb1988.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp863.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\gb12345.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\iso8859-4.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\iso2022-jp.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp861.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp1258.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\iso8859-1.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp855.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp737.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\euc-jp.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\ascii.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\macCentEuro.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\iso8859-10.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\macRomania.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp860.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp936.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\ksc5601.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\jis0201.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp1256.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp437.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\macDingbats.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\macCroatian.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\iso8859-15.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp864.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp775.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp850.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\macTurkish.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp949.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\iso8859-16.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\dingbats.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\iso2022-kr.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\symbol.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cns11643.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\macCyrillic.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\ebcdic.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\iso8859-5.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp1252.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp1253.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp869.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp874.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\iso8859-6.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\gb2312.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\iso2022.enc

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 943 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\America\Belem
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\America\Manaus
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Africa\Lagos
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Antarctica\Mawson
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\US\Indiana-Starke
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tk\focus.tcl
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\America\Resolute
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\msgs\en_ie.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Europe\London
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\msgs\it.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\msgs\nl.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Asia\Macao
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Asia\Aqtobe
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\America\Virgin
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Indian\Mahe
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\America\Paramaribo
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\America\Atikokan
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\America\Moncton
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Europe\Samara
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Europe\Kiev
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\msgs\te.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\msgs\fr_ch.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Pacific\Tahiti
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Turkey
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\cp949.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Australia\Melbourne
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tk\msgs\el.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\America\Argentina\San_Juan
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Portugal
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Africa\Bangui
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\_queue.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Asia\Aqtau
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Pacific\Fakaofo
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\msgs\mk.msg
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\SystemV\MST7
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Asia\Gaza
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\America\Rosario
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Europe\Chisinau
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Etc\GMT-2
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tk\megawidget.tcl
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\America\St_Barthelemy
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\encoding\iso8859-13.enc
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\EST5EDT
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Asia\Srednekolymsk
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Egypt
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\America\Dawson_Creek
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\America\Antigua
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\tzdata\Asia\Oral
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\base_library.zip
file	C:\Users\test22\AppData\Local\Temp\_MEI1842\tcl\opt0.4\optparse.tcl

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
CAT-QuickHeal	Trojan.Ghanarava.17262270534ca352
Skyhigh	BehavesLike.Win32.Generic.vc
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7GW	Trojan ( 0059e2471 )
K7AntiVirus	Trojan ( 0059e2471 )
VirIT	Trojan.Win32.Genus.WHZ
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
APEX	Malicious
Avast	FileRepMalware [Misc]
Kaspersky	UDS:DangerousObject.Multi.Generic
NANO-Antivirus	Trojan.Win32.Mlw.jzgfaj
McAfeeD	ti!752DD7563038
CTX	exe.trojan.generic
Sophos	Generic ML PUA (PUA)
Jiangmin	Trojan.Blocker.vcn
Webroot	W32.Trojan.Gen
Google	Detected
Antiy-AVL	Trojan/Win32.Wacatac
Kingsoft	Win32.Troj.Unknown.a
Xcitium	Malware@#3at0voxrx76nf
Varist	W32/ABTrojan.MBGF-0789
McAfee	Artemis!FD2BAA8F4A91
DeepInstinct	MALICIOUS
Malwarebytes	Agent.Spyware.Stealer.DDS
Panda	Trj/Chgt.AD
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	W32/PossibleThreat
AVG	FileRepMalware [Misc]
Paloalto	generic.ml

ui.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All