Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | May 4, 2021, 11:06 a.m. | May 4, 2021, 11:14 a.m. |
-
rtd0t1.exe C:\Users\test22\AppData\Local\Temp\rtd0t1.exe
3052
Suricata Alerts
Suricata TLS
No Suricata TLS
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox |
suspicious_features | POST method with no referer header, HTTP version 1.0 used, Connection to IP address | suspicious_request | POST http://209.141.50.70/PV/300/pin.php |
request | POST http://209.141.50.70/PV/300/pin.php |
request | POST http://209.141.50.70/PV/300/pin.php |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data |
file | C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data |
file | C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data |
file | C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data |
file | C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data |
file | C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data |
file | C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data |
file | C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data |
file | C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data |
file | C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data |
file | C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data |
file | C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data |
file | C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data |
file | C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data |
file | C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data |
file | C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data |
file | C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox |
section | {u'size_of_data': u'0x00026a00', u'virtual_address': u'0x00002000', u'entropy': 7.82115786060924, u'name': u'.text', u'virtual_size': u'0x00026971'} | entropy | 7.82115786061 | description | A section with a high entropy has been found | |||||||||
entropy | 0.893063583815 | description | Overall entropy of this PE file is high |
url | https://discord.com/ |
url | http://www.ibsensoftware.com/ |
description | Communications use DNS | rule | Network_DNS | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Win32 PWS Loki | rule | Win32_PWS_Loki_Zero | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
host | 104.21.19.200 | |||
host | 209.141.50.70 |
file | C:\Program Files (x86)\FTPGetter\Profile\servers.xml |
file | C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml |
file | C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat |
file | C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini |
file | C:\Users\test22\AppData\Roaming\wcx_ftp.ini |
file | C:\Windows\wcx_ftp.ini |
file | C:\Users\test22\wcx_ftp.ini |
file | C:\Windows\32BitFtp.ini |
file | C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml |
file | C:\Program Files (x86)\FileZilla\Filezilla.xml |
file | C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml |
file | C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml |
registry | HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts |
registry | HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts |
registry | HKEY_CURRENT_USER\Software\Ghisler\Total Commander |
registry | HKEY_CURRENT_USER\Software\VanDyke\SecureFX |
registry | HKEY_CURRENT_USER\Software\LinasFTP\Site Manager |
registry | HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings |
registry | HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions |
registry | HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions |
registry | HKEY_CURRENT_USER\Software\Martin Prikryl |
registry | HKEY_LOCAL_MACHINE\Software\Martin Prikryl |
file | C:\Users\test22\AppData\Roaming\.purple\accounts.xml |
registry | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird |
registry | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
MicroWorld-eScan | Gen:Variant.Bulz.458140 |
FireEye | Generic.mg.080f3430fa1c166d |
CAT-QuickHeal | Trojan.Multi |
McAfee | RDN/Generic.grp |
Cylance | Unsafe |
CrowdStrike | win/malicious_confidence_90% (W) |
Alibaba | Backdoor:MSIL/Androm.99a93f04 |
K7GW | Trojan ( 0057b95d1 ) |
K7AntiVirus | Trojan ( 0057b95d1 ) |
Cyren | W32/MSIL_Kryptik.EBW.gen!Eldorado |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | a variant of MSIL/Kryptik.AASH |
APEX | Malicious |
Avast | Win32:Trojan-gen |
Kaspersky | HEUR:Trojan-Ransom.MSIL.Blocker.gen |
BitDefender | Gen:Variant.Bulz.458140 |
Paloalto | generic.ml |
Ad-Aware | Gen:Variant.Bulz.458140 |
Emsisoft | Trojan.Crypt (A) |
VIPRE | Trojan.Win32.Generic!BT |
McAfee-GW-Edition | RDN/Generic.grp |
Sophos | Mal/Generic-S |
SentinelOne | Static AI - Malicious PE |
eGambit | PE.Heur.InvalidSig |
Avira | TR/AD.LokiBot.nvgew |
Microsoft | Trojan:Script/Phonzy.B!ml |
GData | Gen:Variant.Bulz.458140 |
Cynet | Malicious (score: 100) |
BitDefenderTheta | Gen:NN.ZemsilF.34686.lm1@aSuiFof |
ALYac | Gen:Variant.Bulz.458140 |
MAX | malware (ai score=80) |
Malwarebytes | Backdoor.LokiBot |
TrendMicro-HouseCall | Trojan.Win32.BULZ.USMANE121 |
Rising | Trojan.GenKryptik!8.AA55 (CLOUD) |
Ikarus | Trojan.MSIL.Inject |
Fortinet | MSIL/GenKryptik.FEPS!tr |
AVG | Win32:Trojan-gen |
Cybereason | malicious.f374e7 |
Panda | Trj/GdSda.A |