Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 25, 2021, 9:30 a.m.	May 25, 2021, 9:38 a.m.

Size	82.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`c1827d46d577d50f668c8b0b845416c3`
SHA256	`de030e8408071c2238466c90058165060ecc8d1c022c4817fc5e217cc5561f54`
CRC32	`7A03EB7C`
ssdeep	`1536:DQpQ5EP0ijnRTXJ+MOPcnKYeu59VDi/gLrxGjE9cHHEd3+dGo4tR3Up:DQIURTXJ+M7nAM95IgLrl9cAUJwe`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
620
- kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
  2256
  - kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
    2772
    - kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
      604
      - kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        2548
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        2704
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        1116
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        2936
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        1224
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        2728
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        2832
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        2160
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        2324
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        2044
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        1632
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        2984
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        3028
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        1744
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        2840
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        1408
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        2420
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        1048
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        3004
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        2080
        
        kn.exe "C:\Users\test22\AppData\Local\Temp\kn.exe"
        1320

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 25, 2021, 9:30 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (50 out of 100 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 517 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a740 process_handle: 0xffffffff		3221225477
NtAllocateVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 620 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 517 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d4fe0 process_handle: 0xffffffff		3221225477
NtAllocateVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2256 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 517 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005efaf8 process_handle: 0xffffffff		3221225477
NtAllocateVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2772 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 517 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880c30 process_handle: 0xffffffff		3221225477
NtAllocateVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 604 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 517 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005da8c8 process_handle: 0xffffffff		3221225477
NtAllocateVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 517 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e1940 process_handle: 0xffffffff		3221225477
NtAllocateVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2704 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 517 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c9aa8 process_handle: 0xffffffff		3221225477
NtAllocateVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 1116 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 517 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00823f80 process_handle: 0xffffffff		3221225477
NtAllocateVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2936 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 1224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 517 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008288d0 process_handle: 0xffffffff		3221225477
NtAllocateVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 1224 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 517 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a5110 process_handle: 0xffffffff		3221225477
NtAllocateVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2728 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 517 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005cc7d0 process_handle: 0xffffffff		3221225477
NtAllocateVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2832 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 517 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00591940 process_handle: 0xffffffff		3221225477
NtAllocateVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2160 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 25, 2021, 9:30 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1	0

Creates executable files on the filesystem (25 events)

file	C:\Users\test22\AppData\Local\Temp\nsbC57D.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsf6661.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nslF29.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsdA0AB.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsm2C36.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nss3ADC.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nslB735.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsg1D90.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsu44.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsg836E.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsd4953.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsy7DC6.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsc6F10.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsz9A85.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsu57EA.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsyE308.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsm9214.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nst8C2D.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsw606A.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsnD443.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsuBDC8.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsv74A9.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsfA8DD.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nseF160.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\nsoAF70.tmp\System.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsg836E.tmp\System.dll

Terminates another process (50 events)

Time & API	Arguments	Status
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2208 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2208 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 1316 process_handle: 0x000001dc
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 1316 process_handle: 0x000001dc	1
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 1768 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 1768 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2892 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2892 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2648 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2648 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2612 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2612 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2112 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2112 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 872 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 872 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 596 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 596 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 1852 process_handle: 0x000001e8
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 1852 process_handle: 0x000001e8	1
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2780 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2780 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2620 process_handle: 0x000001e8
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2620 process_handle: 0x000001e8	1
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2948 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 2948 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 1332 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 1332 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 2448 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 2448 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 112 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 112 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 1916 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 1916 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 2892 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 2892 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 2716 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 2716 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 412 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 412 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 1636 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 1636 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 196 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 196 process_handle: 0x000001e4	1
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 2284 process_handle: 0x000001e8
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 2284 process_handle: 0x000001e8	1
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 2716 process_handle: 0x000001ec
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 2716 process_handle: 0x000001ec	1
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 112 process_handle: 0x000001e4
NtTerminateProcess May 25, 2021, 9:31 a.m.	status_code: 0x00000000 process_identifier: 112 process_handle: 0x000001e4	1

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

Cylance	Unsafe
Cybereason	malicious.3d563e
ESET-NOD32	NSIS/Injector.AKV
APEX	Malicious
Kaspersky	HEUR:Trojan-Ransom.Win32.Wanna.gen
Sophos	Generic ML PUA (PUA)
VIPRE	Trojan.Win32.Generic!BT
SentinelOne	Static AI - Suspicious PE
Cynet	Malicious (score: 100)
VBA32	Trojan.Wacatac
Fortinet	NSIS/Injector.AKV!tr
CrowdStrike	win/malicious_confidence_60% (W)

kn.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All