Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 4, 2021, 11:07 a.m.	May 4, 2021, 11:19 a.m.

Size	6.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0a6569e45a3a38f7168f4c4aa0594627`
SHA256	`ad74f606e358fb7f6db9a5652d0a60310d069ac108934a72d0352e5fa9248b38`
CRC32	`510E4B74`
ssdeep	`96:L1YtYF8d/XFvRxR2xs9it95PtboynunSzCt4:L12jWbr5P1oynWSq`
PDB Path	C b
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

46.exe "C:\Users\test22\AppData\Local\Temp\46.exe"
2648
- 19667.exe C:\Users\test22\AppData\Local\Temp\19667.exe
  3016
  - lsass.exe C:\2472355972237\lsass.exe
    2532
    - 2478016950.exe C:\Users\test22\AppData\Local\Temp\2478016950.exe
      1396

Name	Response	Post-Analysis Lookup
api.wipmania.com	A 212.83.168.196	212.83.168.196

IP Address	Status	Action
130.185.250.214	Active	Moloch
131.188.40.189	Active	Moloch
141.255.162.34	Active	Moloch
149.56.45.200	Active	Moloch
164.124.101.2	Active	Moloch
173.75.39.61	Active	Moloch
185.215.113.93	Active	Moloch
193.11.164.243	Active	Moloch
212.83.168.196	Active	Moloch
23.129.64.201	Active	Moloch
46.105.121.228	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.93:80 -> 192.168.56.101:49200	2400023	ET DROP Spamhaus DROP Listed Traffic Inbound group 24	Misc Attack
TCP 192.168.56.101:49203 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 23.129.64.201:80 -> 192.168.56.101:49208	2520073	ET TOR Known Tor Exit Node Traffic group 74	Misc Attack
TCP 23.129.64.201:80 -> 192.168.56.101:49208	2522074	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75	Misc Attack
TCP 23.129.64.201:80 -> 192.168.56.101:49208	2500216	ET COMPROMISED Known Compromised or Hostile Host Traffic group 109	Misc Attack
TCP 23.129.64.201:80 -> 192.168.56.101:49220	2520073	ET TOR Known Tor Exit Node Traffic group 74	Misc Attack
TCP 23.129.64.201:80 -> 192.168.56.101:49220	2522074	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75	Misc Attack
TCP 23.129.64.201:80 -> 192.168.56.101:49220	2500216	ET COMPROMISED Known Compromised or Hostile Host Traffic group 109	Misc Attack
TCP 192.168.56.101:49200 -> 185.215.113.93:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 23.129.64.201:80	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49220 -> 23.129.64.201:80	2028914	ET POLICY TOR Consensus Data Requested	Potential Corporate Privacy Violation
TCP 23.129.64.201:80 -> 192.168.56.101:49220	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49205 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 149.56.45.200:9030 -> 192.168.56.101:49211	2522180	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181	Misc Attack
TCP 131.188.40.189:443 -> 192.168.56.101:49214	2522139	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140	Misc Attack
TCP 185.215.113.93:80 -> 192.168.56.101:49200	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.93:80 -> 192.168.56.101:49200	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49211 -> 149.56.45.200:9030	2002950	ET P2P TOR 1.0 Server Key Retrieval	Potential Corporate Privacy Violation
TCP 192.168.56.101:49211 -> 149.56.45.200:9030	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49211 -> 149.56.45.200:9030	2008113	ET P2P Tor Get Server Request	Potential Corporate Privacy Violation
TCP 192.168.56.101:49218 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 149.56.45.200:9030 -> 192.168.56.101:49211	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 193.11.164.243:9030 -> 192.168.56.101:49215	2522302	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303	Misc Attack
TCP 46.105.121.228:9100 -> 192.168.56.101:49213	2522587	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588	Misc Attack
TCP 192.168.56.101:49215 -> 193.11.164.243:9030	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49215 -> 193.11.164.243:9030	2008113	ET P2P Tor Get Server Request	Potential Corporate Privacy Violation
TCP 193.11.164.243:9030 -> 192.168.56.101:49215	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49213 -> 46.105.121.228:9100	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 46.105.121.228:9100 -> 192.168.56.101:49213	2018789	ET POLICY TLS possible TOR SSL traffic	Misc activity
TCP 192.168.56.101:49208 -> 23.129.64.201:80	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49208 -> 23.129.64.201:80	2028914	ET POLICY TOR Consensus Data Requested	Potential Corporate Privacy Violation
TCP 23.129.64.201:80 -> 192.168.56.101:49208	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 173.75.39.61:9001 -> 192.168.56.101:49212	2522224	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225	Misc Attack
TCP 192.168.56.101:49212 -> 173.75.39.61:9001	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 173.75.39.61:9001 -> 192.168.56.101:49212	2018789	ET POLICY TLS possible TOR SSL traffic	Misc activity
TCP 192.168.56.101:49214 -> 131.188.40.189:443	2008113	ET P2P Tor Get Server Request	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49213 46.105.121.228:9100	CN=www.bwngpox3bvalfmorvip.com	CN=www.rxshttafrocltee.net	d2:47:05:7d:2c:eb:e7:41:65:f3:7b:03:43:39:b6:ae:51:14:d3:42
TLSv1 192.168.56.101:49212 173.75.39.61:9001	CN=www.4y5zm6ezqlkhbs2ix.com	CN=www.5ul6h6l4.net	dd:c6:e9:d1:7f:2e:55:3b:46:92:22:14:6d:d3:0c:85:e3:5a:8d:b6

Uses Windows APIs to generate a cryptographic key (14 events)

Time & API	Arguments	Status	Return
CryptExportKey May 4, 2021, 11:18 a.m.	buffer: ªDH1ÂÄC.^ïW;)Í¬=ds}ËpJD;¶b$yZ0Eû,¹rü_àw(§=,_ÒÍî¬®½h\i1§ÕA8¤Àèt#ÝÊä¢/1Õ²ÐÑù¬"ã ý8X d¶J¹÷C®qÒ\|·ëøºK'Tü crypto_handle: 0x004429c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2021, 11:18 a.m.	buffer: ªDH1,û{´[ÈØóÌÑVÈTl'Zap ! HäÉ;CÖÏæ.c{´æÅ²ÐaüH=·Á2·[v·?rìècï¶Ô¡{À÷Âª%¯þ_ÔôP°éP[Uªèt¿T8H½Ìäl_-@¸P:Æ±_÷Ä4 crypto_handle: 0x004429c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2021, 11:18 a.m.	buffer: ªDH1iþõÔBúîµwrxùb,×\|×r7¡K<P % ~VØCÿ~Çñ¡dåÁhK~Ñµ[Ç¶³ff¸Fy"@zÝÂ7\lðó1-ÜBñëùÅÌàr<d:ÊôAM%"a> pò¹f]ÞiN crypto_handle: 0x00442ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2021, 11:18 a.m.	buffer: ªDH1ªM`pf¡B&NC;Iðy\|CÅã,º;âf¬{ÑÞQªWXÏ,ð9ã2]1îKlûTúîF$¬5WnÃI×4ëâmð0ÜØNï9³'Ä4Y¶2áÂß¡:^g5äSuµï*¨{ÎÏwV#'´µ±²Û crypto_handle: 0x00442ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2021, 11:18 a.m.	buffer: ªDH1Ú&V$/óÖ¶ ñÖÚùßÍòGæ}ÃA³l×&´^öÅî·P4Ýùp.T1ÅNøÌWBlÖ¯)Á$ÄDîN_u5ÔÖ§L&E${¡®øËéwìæò $5u*¶¦ö¤îìD»Ü©ØTü("y crypto_handle: 0x00442bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2021, 11:18 a.m.	buffer: ªDH18ëøÇ"åðÛÉÓ-]ºÜuóï[âNv]èöx. )Ý5±#¤UcÃùU$´ùxOIÁr ô=£ä4ÔåNëù!,ëNyÔ¢è« ³ > Þ ç²!öçé£ñ ù×èê3ÏQå)VW crypto_handle: 0x00442bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2021, 11:18 a.m.	buffer: ªDH1¶?Uø¢½FIz8ò4Ïl5ÜwIk/§¿G¯ùB¡ûÒ´Å¡Æ5ê2OùpDªÚ)¤ËþG'Y§(xR-É`±½aøá¥æ¯[Öð[:ÒUgêÎ,\|PG×Z®gð\ã@ ; crypto_handle: 0x00442c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2021, 11:18 a.m.	buffer: ªDH1íÛâäÜüº\|fðÒiØ%QÝÖãÊ7ºÜ¨`:<}¦4Áo¬ÚGü·¹þ³YwéRÚ¸kdP§CÃÎç«Aæý ®>û®ÛÚAÈÃ?1Põc:ü¦õòîØ:¾®¥>ýsy^û~áùL÷ù+±é40ä{ crypto_handle: 0x00442c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2021, 11:18 a.m.	buffer: ªDH1&÷â®0¢Îal<=Ââ?>ëà¸¸ø¡Å1éîuîÅ¶¡¹Ìó¤ÍÑòshæÑ~²¿Mdå2ýÿb5{û]PþW.¯9È,Ón_Ñ·Ë2Ém{«.Ìöªmá¦:)^-{<$»[d{Êi^ì8 crypto_handle: 0x00442b00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2021, 11:18 a.m.	buffer: ªDH1âÇ¥·E¹ªã(Ú»ëçÉð+þ*Èf£G¥Zýÿ[P°XÿÆt¦SÂ¯z>b¶¾ªdRµËØw\|¬näÁö"Òöïß\>Xá²Ôìî³iuX¾[©°Í\|+£)Ï!U ¹Ñë¿K;( crypto_handle: 0x00442b00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2021, 11:18 a.m.	buffer: ªDH1oóDLf5yç_lcáT4ôFªE°ëîléçîy4Ú!àÉ5×NÂ^odFAýíï\Æ§<·jZë eWx_3QÅ]ÃLk±»CívSd^²VçV[ûDà*"GVæpÖìã»æQÍ crypto_handle: 0x00442ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2021, 11:18 a.m.	buffer: ªDH1ÁÃ¼¹äçÎRYú<÷&(±_Å¤kb}%ë^©lÄlp;¿@DëMÿGkZÊÂÙÚàÝÙ(U¨X £ç),Y4ÁÕÑV~k¦âÃÈæa^D³¿Âyà×Ì/&cÌ1h6ð?4.R crypto_handle: 0x00442ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2021, 11:18 a.m.	buffer: ªDH1ÁNPVÔøZaÖ5dÔ:$zñ¤¹nñtÁ"î¶\Vî·¬K]£÷Óþº0ZæÝ½ûaä }3´PÄ-ÖäVx]^%l\Ð#¶¦Éÿóâû÷¥Y Þäæ:&Z$g¼»Ä<¼856¡zzHâü crypto_handle: 0x00442bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2021, 11:18 a.m.	buffer: ªDH1Ù·hÒ»Ç ¸Ù±m§FªëòÕDcvÔe=¦Xi¬5×¯POÎ´/Ò÷Ì¬¸4[Êé,°wG2%Pà>¦tÚIr)x¾º]¶Y&¢å-¯â¹Fp·çÔ±H·a ]éóZ`\|ÛNè£%ÍkY÷ÖqÐ crypto_handle: 0x00442bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C b

The executable uses a known packer (1 event)

packer

Armadillo v1.71

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.93/pepwn.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://23.129.64.201/tor/status-vote/current/consensus.z
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.93/cc11
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.93/cc22

Performs some HTTP requests (5 events)

request	GET http://185.215.113.93/pepwn.exe
request	GET http://api.wipmania.com/
request	GET http://23.129.64.201/tor/status-vote/current/consensus.z
request	GET http://185.215.113.93/cc11
request	GET http://185.215.113.93/cc22

A process attempted to delay the analysis task. (1 event)

description

lsass.exe tried to sleep 226 seconds, actually delayed analysis time by 226 seconds

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\2478016950.exe
file	C:\Users\test22\AppData\Local\Temp\19667.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\2478016950.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 4, 2021, 11:18 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process 46.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile May 4, 2021, 11:07 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ö·¤DÙ÷DÙ÷DÙ÷cQ´÷GÙ÷cQ¢÷VÙ÷DØ÷ýÙ÷+Ý÷GÙ÷Ç×÷FÙ÷+Ó÷OÙ÷ZÅ]÷EÙ÷ZÅH÷EÙ÷RichDÙ÷PELQë`à 4Z*BP@à@\|vÜ°´ÀtSP.textÈ34 request_handle: 0x00cc000c	1	1	0

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 2fd868d94c6dc063ca49c767c873505fbc87dcd9

Connects to an IRC server, possibly part of a botnet

Communicates with host for which no DNS query was performed (9 events)

host	130.185.250.214
host	131.188.40.189
host	141.255.162.34
host	149.56.45.200
host	173.75.39.61
host	185.215.113.93
host	193.11.164.243
host	23.129.64.201
host	46.105.121.228

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services				reg_value	C:\2472355972237\lsass.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services				reg_value	C:\2472355972237\lsass.exe

Operates on local firewall's policies and settings (1 event)

registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Network communications indicative of possible code injection originated from the process lsass.exe (26 events)

Time & API	Arguments	Status	Return
connect May 4, 2021, 11:18 a.m.	ip_address: 46.105.121.228 socket: 1812 port: 9001	1	0
send May 4, 2021, 11:18 a.m.	buffer: ZV`®ëä½@WÜ$FN³,ÏÏZÊRÓQ#9Å ù/5 ÀÀÀ À 28ÿ socket: 1812 sent: 95	1	95
connect May 4, 2021, 11:18 a.m.	ip_address: 46.105.121.228 socket: 1804 port: 9100	1	0
send May 4, 2021, 11:18 a.m.	buffer: ZV`®ëÛY7Ä¯@ÐGsl;X õ3Ë«JS/5 ÀÀÀ À 28ÿ socket: 1804 sent: 95	1	95
send May 4, 2021, 11:18 a.m.	buffer: FBA9}åx¤ìSÊ Söx/6¸ÁÜ£ ãÂqõª-KN¨Fm¡ÞDôÉù1¡WÈ¤¯?Ö0sqç¼ô[ËîÓ!Våæú]¿s Ë-*ÆÁ·´êþRóáhì<±8 socket: 1812 sent: 134	1	134
send May 4, 2021, 11:18 a.m.	buffer: FBAú¾ï5µí\|ÚÀ{»Wßè5I[Òâ,Ã«ë53Î,ÒßOBüqÓ=æc.l¿À=PÐà¾¯sçL2^EÅëlÜ0ïôG*z²oÞB¥x»¶KùÏ±;XÏ÷ße5n]ÝÍ_0n¡&@D@ socket: 1804 sent: 134	1	134
send May 4, 2021, 11:18 a.m.	buffer: µ}3Ï(¤c"IuSO ¶ØÀ6\|²`ë socket: 1812 sent: 37	1	37
send May 4, 2021, 11:18 a.m.	buffer: 8OîÈ+¡Ü°ÑlêS¢ÿN¥,Á4[m$_ZKZáÑ])îÜa7+M×cÁnlõ>\|ÎgXz6BÛÓÑ^Ëaìü]H¸ O~RòÒéZ\FÿóÙ°7¥V& QÓ³0òrûúÐtvµ2¨Õàä£o-S×¯?M£t5ÅêvE¿¾.ßy³!ù¹\msóp×RÏ±C¾}pºðÉ:U\|Í bl Ð$iÑ@øDÂ_ü?¬^ËO¸(JcàsÜÚ÷axÖMïËGóQu¶øÐó[ôvßÙ)i?ºÄÅdÊL^5\^h)@_àÕíî"ï¨¡ü<Ý}¢Oý¯û#øô²Ú·;ã%m®²Òì4£µH¤HýÛgöoº%P£á.Cý4Ä\Ê\|ÉfLg ÒW'ènÌk6){áó_ëÏÇFt19òì³ö r¦ý¦cº÷`PÃ\÷_eâ$®S7ºÏô§%®âü·0LCr:s5T/ªåúñåaj_²I¬xÐ«LAõH.§èbØlq?[¢KñOÚÀQ?t«4g_,êï¨ái¥ÒÚøk´/&~Íø\|z ~½Z§ÌÙãú{\|Â socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: o¹u='wÓ£=Ü4µ\N-!Õ)ÎKâ4 socket: 1804 sent: 37	1	37
send May 4, 2021, 11:18 a.m.	buffer: JIÀdÜÕáò(,þ¹¼Éx u¿2ÛHÈHliô:ºp]ÁÖ"cë@·°Eøâù Î¼ÈKò«vÆ!RC£óÉ7l7íBÇ%qÒá°¦ZNMå{'>à¿%VÆÎ0QÊ¬¸!l%-ã1j±OdÁq?V¨µQ¸xMS!á?H:C§$"üwÍEoC! $·ÀmF Î%×& òrÝÆú(ÆÅHÍ»È& Þ 7B@L<@WüüHÃJÚ1S´Uî¤ÀT¸ZCÊ0v"5°e`Õ÷û¦s.Ä%@D¡MìÝ¹`õÿ/\;³Á«].n¡`ºó¿Z¦3Eú´ZDîäÃÓü v? GäÄ·D ¢Ý0ZT¶ûÌÿ:(7pr8S>tÃZÊ³¦ÞÙëîÙ0µMö½ÈøîÏ1¾~ÇHN¯Sp¦õhü&Mò§é</Q[âïÅ#kP-þ¾þ~Ãr¹`úÒ×«¿¢Ê9gß6pæÀä¹~L@ëÀº ! ¯5·Ö3¼ÝÍ3<¶¸Êé±à z¿_ ÙÝ,T¯»é5/¨T±G'¯öÈ,µîÁ`~LRøáª^Å>êT/8«2î[-»¿¦tê'ë-ÿV<¾`ú¿£rLö\=ñ·¤³JW socket: 1804 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: gd+ª\Eùj56Û'xã6§TC÷î¸¦Ã¢áÇ8YbÐkÒÙF¹âÖ°n+T«üÆ6«í?¢Ûþ[3H(ìºÔ²¢tÄ/zÜÞàÃ²eÂJIm^bv0ºcÚùk©tDç"x©ïÈ§7(v9´µi¨k0àD¹GÈØ°t¹êÀ^z©ê£;ÿï/ö-4«#g&]%sïfoî!<<u(ý4yËFáb_ºP$K4YäÛ¯éÍC%¾öáGxÓµÒ_ 4Kh0Ð¤)DÅÄ5O\©WêDãs2=ÂÑF8bA÷I©ù9 7ÓG7Haww£TÅ}Mò"°Ä¬`h£ ×¨ ®TO\ô'³ÙåÇ==è´[pðøêédMÂíÀ?êÁþ%ÕU;{ØïØh¹büYQ!7rªgK) `¶OµxÓpvóhI¦Ð «9u#(â\|ù?ô'Àì7nv5óä]±Ö¦ïý¦S#<,®«LÆÿÁ*úa77îy»q{t¸^UË¶DîDNò± <U¼ndU]$ëØÝ¥hªr'OåEÕi)_í´kÔ7`qdpCÐH&ÙrÜ#HL¬À<8 Ôù:íÂÄ§>pê51`ÈÝ socket: 1804 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: ¹ÑvbÏFóÖ~ÎÆGl9p¡Ëy& _î}Tô^©égzÞ£L£ÜË±=`° Kø¯Üpg·$°×hB¤òKl·#;z°#[Ø¦Ëä´VÖDQ ¢Àº¯þ³Ö·§ ÈÐ9î'ôÆÄíÒJÂ{TÓÅ>ªg¯íÝÄ7·4C\|IdJó5ãü=Åc4¢v<ÄÿèJrqF2§æÏ:±å;ÓR½©É«¹Ç`æ=µðåVãS<×iXqkM\|t÷J}gÿÞ±Ù:<Ä¹»ò°C×C`¼Ù:\|øï¤Ë¢þ:»0;ïç½íx8IÀÿ7ÈnláÞâÂë{¿ ¿;Ðæù»èÎôóyz3ÑaîÒý.kon²roquçêÍDá3ÞÊºQ"º§ÇpõTlïBrfÆþ~eô¹L °á»«[@æAÁYv9_º"£îlÎq@¢×´4{çÍåÕ, ðéqI{ØçØ¸R¥óÔß¤Yåàýæ÷èú7KH!¶ü±ÜHãÒ#Çm©x©-ù:î@ ½ü[R=®ï L7ÙÙPgPÀöNý{uTÜ¥æËç\Îô¥ù_@?3Pl%]6 socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: «¶wøñnÄI#¾BßqQºN9÷w\|:O_òz.¬L¸7.IñDbIw0ºk³MÃk`Vsî¤¨ æì¾¢YX{á'%2g_êóbk5d ¾ ¯Fû)Çg4q¨1F\°M6]¿ÇÐý99é;}.qÑÚXd!:ANWÔcµTTÔPmÚS¸"Òñ·¦0?[dÐËRÚ4÷"°¼c ÐÞX¤zZx `+)ÄV.?Á¨Q¡;p±]Ý AàqL©wq7ðõÜ±þD?¦~ªÅ¸ìQÜ»^fyD´¡'q¶ÛáÐÎò¦£»[¢ëSò joØU>À8DÌÓcÏ-ò#Z¹]¿HYñò_kDýÔ¾´#&H ý_SLÌía8Te:p_ë uU]Uû¬+ú§' D¼«]«ºw` ¶ZDw"#µµæjºwÆd.ø< \®û>óèÏuu0"£u>õf7â©gRðeÁûã¥xÂ ]`²Ùu¸áYQ'äí/à×üýY¬¦J¤×DÎ÷ <K*©µ ¤<üPî.ÙÑ¬#¾üxïÖ:Á[]Ù!6YKáÈ³¥í£hòð ²ïuRg"³v¸=¼X'u~ socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: äuU©¯ªã#Ù·ZtÇ»÷Ï×Å©lóÕJ¤ë(SÈ§R 8U? .Ï1õvøÒ&Uctáw£CI³ Þ®#×Ús«"¬ìÚWê2ùTyÿäqäîô*¦éµÇòì·¦y¶F¶wUÇø¶AáµG^è¥ðå¾3Èr¥xäeZ_¶Êó-ôÞóªX>TÝúÃ-ÝèÄF 3/¾K¨ÔÅLJÚ°,«Û ³.-ù)Ò¢ÎÐÅTn§$.±3ÍÙÑN1ùò^{ô.Â«1IRG$½JF§SùVlÙH%)÷ÛW^§.ôÕ{É»b3ûúøp$§ìÏ9ÃËì}¬¨ßõG¦½\þ¢ÿòÄ]s>Ç¯ûÜãÓ³ã®§g<Boãßâ a:Æa,#u7F>I,cg¿ÕPäx5µf ®>e¦£þW3^Ëa ¹\Æ.·.9#5^í½¤ÝIü¢,»Åç¤ì^v©Îr¤P¿½n¦P^J=×.tÓ=ýBýøªu)®Ðtb~/I@Ï£¯Ù°ÑQªÄúÎQBwµnÀºíaìºÌAÀ9öï ´ÕaÅt©É¶Ql-®ýÕÑËGL Ãçto#Æq socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: C1¾3µºÝM&Nyv mQô£/ã&¨üw"DW1<}ÏºäÃP«m>kå<¹2CjPÈ Ý µrHåwurÍÿýXKE's_ðâ´Õ22#\|.yTÕd&&kgX=²Í¼´3f#`èå»Ñ»O71¢ù¾¶y¿ÎÇhÔ<B]>oÆ 2ÎÏÉËX²ÁÍBT8"s¯?eÎ04åÞOì]¤¾¿îfÄh:ßÀyíI 6F¸sÜ^µ¤M,ôííµz5Ð¸äxÍã ðÐ&?z["g¦ülsÇËj9W ?èä&RØ5ÅDô¿¸6m¦.¬&FïFuÄ5cÕgöùÿiifQÖ¨± t¶µÛ®íc#ôÐØdy_9zªXª¿Oh :ò¯ÊùÓBÙeðÀp!Ì/IÕÌø© ê^>GÉ(3 f[òD}Ù¢ú?JxGëñ=`ÏØÕ$¬²MëÔ Ô¾Â"$k¹jBFc÷}Â9U»íMÔYÂÁK³âl¼¾öbBmWU¬]èð{*\|FÃ¥±½þ¶K{ÇjõlUd æÁy¦[fFC< 0ÖwÍ-Ú÷4pãì£¼¦A$Ëtª]§!ª socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: óm{vµýý å¾s²Å:4yê~X ¥ù Æ©(kCuÇºþÁ¤Ó?êå'i¯ú»Îáz@$#Mq8)>ÌÈ ¥b_×^.¿".8!ÍÌïå§~ÒUÊ"3ªÙ³§Ãîâoùíó ÏV«¢¾Ë¬;RêúÛù\|2K^î?«¯7Nv_\¶ï1¢R]:&ÅaKtB±7ÌÓû8/§T¡ôm± ý;éWyÆPe¹ð¬½¹ßû<¿ràúZÉlÞ Ñe¤.Ñ^'Wÿ5Ñ#ÎDÙë;¢4··´§ÊÞ(ûî,Î,Ñ²TdýÀ<~9î¿¶Ã0©0û~Ï÷kÑùD´D¹ô½Lô.oHÄ{þ¾Mt9qcÍ:KâKY3ØFÖÉS»¼0èÀP©ÍçOdû)¦Z;4þ«¡íÛÓòAè¤Ý<¸óê¥]Eä%õØ FZ'} NEmØé;3J)oÓåCAET# ñÈ?#.:~ðe#Òü^ ï²Ïºæmb(åÁÒ¬#y}-^S¾M¢}¬gY5#ÿnáL÷°z;íRU *e~aW3çXÈÜb,êÛ²ydM%1uöëáS8Îâ¶è±ëöJÛv>ªrÓã\|º?#YùrÃ+à socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: Iá«}^ÉÐö&ßbhÞì¹ÔõÃs;ÞKûàz ,Ó?ÞôIîÄ7ñÓ:çõÚz3<ªU-70:KÌ[]2ô=Ì0¯Èi3ËH¢Qyuãºgòªµ¦{- ÂC\|8ê«\ÑHÏ};³wòËú%Q,+¬Dë~Ã>©Ñ÷ý¹3ª¹O=iâ1¿¶ ÌëêÆ¥YÃ %âI/"Ì¤ç!Ô0Vµ%:ñ0'Økô¶Çl¯~]Ý 2¹B\|ÉUI[3è ¥Õu}¬¸¤j:¯`y[,Rx^u + <«\hÔÐm4þuÈD¨ÏµM6~XÏ2p~PÀÏðàEmpYU2¬DØ'lq fbªZÔãFQipûþÁñNí7+4`kgº,È°vFz®9ê:ÃGåx'G ¼ûîÆ.êhö¥b±GªñÉð^uþÞQfTøØ¼Fõ,¾W©\|Èò\K§}Ü½êv:±§ 3¼íüû»eÞ@tÐwÛ ×±§ÔïãØdciGNwÎS½ÏõçãL¯¡=Z®p¥£õ¯§ÜZ!6}'QOoÓíÝ3fç@"8sHdWý»è§Éd%sõ3ÎçáèÐý socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: Ó V4Êî¿bLG¢^93å\|quØòi5±w£½UÏbÆïø5eHÄ?¾ÂÇÎ¯«f3Z N¼r6vÿþÖÔdå¤äÈÿ W(¥DD¼nà1âðÙÕ%jnFVJaºibGþH¹;{ W^EÐ!0O}Cþ/áý²@Âr';?úöJëðÐàönªÝsºUR=ÎzÄÒkjÎ¢·5~Eqw¬¯¤£W$Øtªw`¿ßÚ:%ÚG7OjR?º8JZ$ Ø¾ Ôï)\|=½½óüJrÈ¥¬\|Êm»Il#¦~õû§Æ¬¢Ëw«jôjàopfü¹;¯CòßÚd8¹` bD'lr@kATVªGMî[[O³ÔJ¯©;q¤±sà°ô³ñ{t`Nû£%EËÍ!½»q JØ¾Ö×n¥hJ» . óùk>jó7¬7 ]!í ñ6qÝ#2Q£;R+¦ß¼/³MÈÂ£Vqï5°Ç* èk]D© [èW£®D %Ä3õ,_õCíÍ¼h©Ëe,)m×J]¾q·.µcÌØ¿yFè=©áR^#&x:YHíÉvßÝÓ2â¸$~7JÇM¢Ògôöá(80 socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: ¸½'2ÆÎ5ðlRQJ;ÿËQÌrH#×ImiÄõ-{àCÆÚbã¨ÓØüMTÙ¢hETãQûº¨t{É±O¤S§'¼ª`YóòM¹Æ¦Ôs@þÂåÑväU³³h¯¢[è6m¸+u~Á#,@ÂFÞíþ3êµ}Ml<]tN¡§×bH$/§<©¡ÛÃyµ^>Ýq§P3DÒø®CHV<]y8Ì}$uÔCzräeððõ·R%:aï@¡þ4gH à¬Ôêð¢Xê1¸ËÆêMÜ¾¿HÙèÙ.e¿ÕF,Æ¿ f½´H²µ_^íÔôFì¿^ 0[\|<¿Þ±vL Ý 0PÍOb®ß),#èÊèúéº4ë7 %£r Í-wï4mQk^UBÅ§èã^ªKf`"ÓÔyèçy [wZUá #kÙà\ê»¢YþÉçYìO¨"B¨ðSD¿aQrµûzþþ¶ KÝ¥gÎGµ<-HÙß½ÊØ\ýº©T!¨[)N±5·2Éðxìö<Ö@+Gâ.¥¶¡GMÞfÉF®\$H¨o->9*'sÎöýd»ko{;Õ·¶6à÷ßIeýá½ÕAX×ãTåÒ#NÐUZ 1HiÍÉ-RÔßSMlYÜ%}Í¶´ socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: ]×¯½èJ[þ zÝ#9ËôÑÐÚÙé¢åLù× ¥L ãÌ}i\|.ûD¸AÝ/xzêta¶Îíè} è+lØ8\PöÇè=:î<qÒué+kíQKÚú4×NÆ¶X=w" ¨ÞLVÀ¼Á4Wak_4HÅ·àô©-Ó^ø1Åo×füMÛ"\bÕQè5ðÞèhûvý+®wÌ68HÆ³oõú48éùå¿T£ ë^~ P0ªª[¼°ÚÂõv< J·mÛ>,NcM_pÇo÷<ïn%Øl»qºÁô¦òÝFÑ'UE Ñú®4[·ÿá6®Ä[ª?^ë§¤'pÂYx/QÒcj£ ÁÅè^D¥éJQãøÀíp°øôãéU>¹ìøeLçÌ%\~ßÙO<åÛôu¬äÙJÿ_àAÎ9£c8ÅèRÕpXNWöê´á}Gv<Û<eø°ÒÿÝRýËÛB÷¤y³éâÑÅý$ÈÆ·¼s dòÿ¨J¤/ÆRÑ(GÓµ<j>ÙÊP±ÕH&ºßÐÜ-UÒÝØï¹e·§$jNWÛ¶Ú%2Ý`Ø@ô\|`Xò@v D(ÃÂ4È3¨{¦ÏðÓm*ÎòLwX;%wªKp9 1 socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: a§`ÑyâG¤üÛgØnoIûs`wÙä,ìZ\|Ø}ÜSv%ÒGH ê\|Í¢qTeg4êõz?¹KÄ)ëWsÄ_?ë¢ms9{ï èþ øOÉþÚý\|¼zu\eFíIµ( pzÀ9ìÍ¬ÞîI5îñÇa²oÿ¼ívDÜv¥ ª¢¸×ÕÙVã'O©ÀaTæÑt+¾<õ)R¦í+÷,$tg»aòÁºý¶ÄËcÞ¬ë¤ã=C_FµR\|\|Òößk¢¬]2õIöÔàØøoÍJ®~×EäóbUô¦Ð>ªEx²'¡9¬©ç @9âøÅÛ bö¤?R1ýöícÕ§ªÄîãéÙïïe¦nFÎîéÿi ïÄ¿³x¸ðÜÚ¿blRìG!¥dbÖþ»öô+¹SÔx2×ÂÁ¨ú?²Ì)hL©:Õ3Èå°úÁÁÇ6ô¸o2ÚC¥ÁmÈ¦(ÊÓ°¾ÝOK ·Ò,F¨'>¸p'jm#`tRjØUÈ(UA£;¹m£îÇÉ"Ðê¼«À~*òÞ0Cã¥ Dà1ÎeÁFT»!å3¥ÏÉ+;ÖRD6¼hïMMòs?õÊ$H>a¢ù socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: WvjÙ:?y[²j+9@ß¯5¦+ ^ËÙëU)÷22ÚA^âtçCnm¤Ú8s©+£øP[nýÕê=XmÐ¸èNYÂ~§æ5#ãHt':_üÝùÕuÞ\|«Ï{5Æ)ûí-XI6dl<iÓñÈó¨²×í¦MªÏÖñ±¦ÚC!Öq´>{ô¾üPÅ¸ì\|Ï³ùÜÃé3O)³ªájnûÿFÂGé~9#N1GÈ Ýy6c@$è£8'~ÍÐ¢vtYn5±Ûò ¸ÆA©ô.G¸5=09@)¼\¹¯ÑáT¢`z!NÜZLYu¾íÍ ú/#¼ªwÅ`³¥ÒgVöãzÍP =§³rø±& r<NQÈ%X}-cAîëëpñº¥.ÕðÐsÃ¤WQÂlH:©\|æ¯PO+Ó£!1ÇÇHã´ôîZPhXÅKÛ[ÜD·ÀYë&û×-AÉæÙôîõ: yæ8¨ÓýHF 8.]BÏøðUvÜÛö ]ú/\|`Ùw#½BeKi¬`{8Óô<EC¼mÙGÕÚS÷ó]izbtgLK DÙjÞÕß¹Ëx5»ð¢¾ÓjßÒB`CÐèíè1> socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: }ëé_+Yy×,ÃQHlõMdåC½?Ó>(lEÅÐUPÏr(ö54RN;Z`fOzßØ@µ>VaXïúM¼)ôÉ¡Zh_OJùVû/Oøñ¸4Eò>ÿÐ}UÏçÙf·q¬ø5ºíÊo¬í¬ZÃuF-ïÅ¶V\| ÜpI¦[ê>kÕeøGCbm}Ày VéÂó_øO]´(ÌSTöÐÎ¼þLµ¤:D%ñAzz Nj3Þ5MÆ²üÊw m?¯øßB.ë¬}h1£eHîýC¸>ôï8:¨a«ó²u»+F4\|r¾îÝkú)ïTPèvÛ ;JÂÏ3kÜÑ6UDäÑük© Üòûç:GÐ³cÚ¡gð×7KHrUýr.y?¼Û©X.:hª5é#Û{å$<Uû.UØ+½÷c"`àQfÃF"Ãñsáw¸P»rä&áø!Ü ¥(£ÿAô)ujÆQ¨ÙÇ9ð&ØAÎ'Di:t«\k02>;o°¾D Ö¦FGB1õ¢YÓ.gØi¶kÞ¶0ø}÷¸+GÏ2§<mo»Õñ{ö[.§øCùøJ1¿ú¦R=`Å¢è B}`náÃÍX3ìÐHKñ0 §ç(4ãòÈb socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: +4Az3¼¡}~]".ì$·V>²t×8E}ã<ü}PÂwk88pÍÐ½cW`¥Ì^¨©1RDíOôúþ '%a¡}Ã³©ÂyÂ^w^Þñf2n>Ú¹´K¾8`öæÞ6ô¢Ø3(¤ÿø«æiàÊÁXCêùúÈ´ötÒ»]âý÷Låßx&/Ót>¬u PùÜ&Á] Â_©¿YØ!~÷ìýåîÞ¨ì-¢íUKlWBÀs®¼0áóî~¦e½U7u4AËÒØ¶EJ/d/üá4Z ZÏ(ÙëõÿÖnzÑøÇ=Ó5õ"E9Aey:³Ñ¶ØÚ×5+Ô¦ÞMÿß?Þ¥'¼1YØ§m¨6îbN\8jÕ d²Ç¼îz³8¶Ä^æqJ\|(wÁû«îÔ9ª¿UW¿X´ûÚ^BTGjUájnÝbÝdï ÷×¸êxEôÔV¬Ê6ÝýóôJ¾½W{äîi+3þX7½³ÙÚgèþø;¦³Q×È¬66½Ë](âDôÛ¢]ãÓs¬>¥¸7½¯X³ëÉ¨ôöe7ÔíaHÍÿYÜçSÄ\nùRbÆXS+x/?ÕÝQ£X,c socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: ;òþ/¦ðJ«EìA«#Þ´nè¤ËxÒÒ3óÂÅ½8yU]1»Ò½ôÆA=[KO¿ï°1ÜÇqnéEqGÃtIák¼\|¢k§à2Ê~}wï)sâ+ñÓ#¾{+c\|öD¬MI¯2éíÅ¸WRÌ9a=Jk¥¦÷¢+I®t±)¢wFB+4ªÎûkÀâa@×Xlícî·j'a[¸Äv+]8ä`EÒÐyÌV`½)\ ¸Ü?lóû¬m×¿Ìy%VB$9è:nëRk¢ÚÇiÜ>Ä_h@ïú.}fÃRâð£í»F¬úÚß©ûÕUõ¯åÞÕ"8pÄ\|¥ô%Ø:´¶ÙkühoB(H@¨Ø~$ço;.ñÓ °$¹$ð+Q°z.õyÏ%ðÌ&>O¶Mã {åõté-÷ÿÎæ¼Î?Æ²úÏs²WÓ.»ÍîÄ`>rlrfåÞærÀ3UI43[n³/Û>Ú#Õ¥nÖÆobÒéH^®¹ai!P¾i» ùÓh@\|#&®¦DæÄ¹E£¹òûÎÝRæëòû)åTÎÈÉÊÊ\|abÙ&Zæ MüØ¾2¦%3&qPPAÓÇ-(Ñ þ Ë¾0Å)*KÃg ; ±5^a socket: 1812 sent: 549	1	549
send May 4, 2021, 11:18 a.m.	buffer: Ï©è+æ/DjÛMÝ?O!¥ø_}p+fHÙâ¢÷!-ê§ÙÑÒÈ½&ÏU¢öÂsÕ6~m22-Íoo4î÷KXÓú)ÙòUCÃHz`T¤Õ¯¡ªàä¡Ywúñ?)®2¹ðgå±75ÒPåø ðîëÃ°¤ÊÉ½+ÉÇ£õ©ÁB²z.SM ±¿ÿ1Û{üó7Ó²Ï6õVÑ¡V=¥¥qÖShEoÕÚSù=é¡3g¾oFv'ÀeR.zÉ¡Cq6Å¸Ç0UY÷uÕ®Ír ³y£Å{§å }>¢Vï¤ÃSeÄ!âÅªCÕ³âï·eæQ?òí@'C ¤nV þóÑ3W½ôw%HëJNµ÷ #é¯ê¯<'1¾²NIãÐSÖôm'Ç½$G: *Åâí¯:@UrnàK®óî4WUvßMQ`âÎCØX¸0=æ?Ú >H×÷8êQ2ø17LqÙ2²¨0%.Q»,»dÙ;)ÎÆFpGL4ö×¦ÝÊªÖ&»Oì;®»{^2G ¬£Gø[ÐÇwøÞ´ãäy'õ ÝÝ@Uoç/ë÷³µçBÿ¼×} socket: 1812 sent: 549	1	549

Modifies security center warnings (7 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride

Network activity contains more than one unique useragent (3 events)

process	46.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
process	19667.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
process	lsass.exe	useragent

Attempts to remove evidence of file being downloaded from the Internet (3 events)

file	C:\Users\test22\AppData\Local\Temp\19667.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\2478016950.exe:Zone.Identifier
file	C:\2472355972237\lsass.exe:Zone.Identifier

Disables Windows Security features (5 events)

description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
description	attempts to disable antivirus notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
description	attempts to disable firewall notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
description	attempts to disable windows update notifications	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.Mint.Zard.11
FireEye	Generic.mg.0a6569e45a3a38f7
ALYac	Gen:Heur.Mint.Zard.11
Cylance	Unsafe
K7AntiVirus	Trojan ( 0056d4f21 )
K7GW	Trojan ( 0056d4f21 )
Cybereason	malicious.45a3a3
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Phorpiex.AG
APEX	Malicious
Avast	Win32:CoinminerX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Heur.Mint.Zard.11
Paloalto	generic.ml
Ad-Aware	Gen:Heur.Mint.Zard.11
Sophos	Mal/Generic-S
Comodo	TrojWare.Win32.TrojanDownloader.Agent.EQE@80vxxy
McAfee-GW-Edition	BehavesLike.Win32.Generic.xt
Emsisoft	Gen:Heur.Mint.Zard.11 (B)
SentinelOne	Static AI - Malicious PE
Avira	TR/Crypt.XPACK.Gen
MAX	malware (ai score=89)
Microsoft	Trojan:Win32/Caynamer.A!ml
GData	Gen:Heur.Mint.Zard.11
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.Dlder.C3467007
Acronis	suspicious
McAfee	RDN/Generic.hbg
VBA32	BScope.Trojan.Caynamer
Malwarebytes	Worm.Phorpiex.Generic
Rising	Worm.Phorpiex!8.48D (TFE:dGZlOgUN9lLDNPuMzg)
Ikarus	Win32.Outbreak
eGambit	Unsafe.AI_Score_97%
Fortinet	W32/Phorpiex.AH!worm
BitDefenderTheta	Gen:NN.ZexaF.34686.auW@a0A3T4li
AVG	Win32:CoinminerX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	130.185.250.214:80
dead_host	141.255.162.34:8080

46.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All