Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 3, 2021, 10:12 a.m.	July 3, 2021, 10:17 a.m.

Size	6.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0f4dd44174516703ee52802eec6f49fc`
SHA256	`1e5559caf020549f18b27ca5dcb9087b2d1f922b3de747d82b5503b89a849b95`
CRC32	`154E2899`
ssdeep	`98304:MAI+MPp9Ix03E0ApRFSEqN/AJAk7LlUtPU+6d8CLPzqsoeaDwVBdSoijeIGxDzW0:btCDT3bSVAWlUtPU+rCbOve5zdSdCRDl`
Yara	NPKI_Zero - File included NPKI PE_Header_Zero - PE File Signature IsPE32 - (no description)

1820789375.exe "C:\Users\test22\AppData\Local\Temp\1820789375.exe"
8564
- audiolic.exe "C:\Users\test22\AppData\Roaming\Task Launcher\audiolic.exe"
  3532
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.141.1	104.192.141.1
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
104.192.141.1	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49813 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.102:49816	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.102:49820	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.102:49818	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49818 -> 104.192.141.1:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.102:49814	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49814 -> 104.192.141.1:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.102:49819	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49819 -> 104.192.141.1:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.102:49815	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49815 -> 104.192.141.1:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49813 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 3, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 3, 2021, 10:12 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 3, 2021, 10:12 a.m.			0	0
IsDebuggerPresent July 3, 2021, 10:12 a.m.			0	0
IsDebuggerPresent July 3, 2021, 10:12 a.m.			0	0
IsDebuggerPresent July 3, 2021, 10:12 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	c:\program files (x86)\Google\Chrome\application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 3, 2021, 10:12 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

Performs some HTTP requests (2 events)

request	GET http://iplogger.org/1ZnPa7
request	GET https://iplogger.org/1ZnPa7

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 3, 2021, 10:12 a.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW July 3, 2021, 10:12 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13275447296 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (25 events)

file	C:\Users\test22\AppData\Roaming\Task Launcher\libgthread-2.0-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\audiolic.exe
file	C:\Users\test22\AppData\Roaming\Task Launcher\mingwm10.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\pthreadGC2.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libgstfft-1.0-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\imageformats\qgif4.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libgstriff-1.0-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\gio-modules\libgiognutls.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libgstcontroller-1.0-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libstm30.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libfaac.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libchromaprint.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libgstapp-1.0-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\liborc-test-0.4-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libid3tag.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libmms-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libgmodule-2.0-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\qclp-2.3.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libogg-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libffi-6.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\Uninstall.exe
file	C:\Users\test22\AppData\Roaming\Task Launcher\libplist.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\ssleay32.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libgstsdp-1.0-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libgpg-error-0.dll

Creates a shortcut to an executable file (12 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\Task Launcher\audiolic.exe

Drops an executable to the user AppData folder (25 events)

file	C:\Users\test22\AppData\Roaming\Task Launcher\libgmodule-2.0-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\qclp-2.3.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\gio-modules\libgiognutls.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\ssleay32.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libgthread-2.0-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libgpg-error-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libffi-6.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libmms-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libogg-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\mingwm10.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libgstapp-1.0-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libgstcontroller-1.0-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libid3tag.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libstm30.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libgstriff-1.0-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\audiolic.exe
file	C:\Users\test22\AppData\Roaming\Task Launcher\imageformats\qgif4.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libplist.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\Uninstall.exe
file	C:\Users\test22\AppData\Roaming\Task Launcher\liborc-test-0.4-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libgstsdp-1.0-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libfaac.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libchromaprint.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\libgstfft-1.0-0.dll
file	C:\Users\test22\AppData\Roaming\Task Launcher\pthreadGC2.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 events)

Time & API	Arguments	Status	Return
Process32FirstW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: [System Process] process_identifier: 0	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: System process_identifier: 4	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: smss.exe process_identifier: 224	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: csrss.exe process_identifier: 300	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: wininit.exe process_identifier: 348	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: winlogon.exe process_identifier: 396	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: services.exe process_identifier: 440	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: lsass.exe process_identifier: 456	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: lsm.exe process_identifier: 464	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: svchost.exe process_identifier: 568	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: svchost.exe process_identifier: 640	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: svchost.exe process_identifier: 700	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: svchost.exe process_identifier: 776	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: svchost.exe process_identifier: 824	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: svchost.exe process_identifier: 968	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: svchost.exe process_identifier: 264	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: spoolsv.exe process_identifier: 820	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: svchost.exe process_identifier: 1192	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: srvany.exe process_identifier: 1244	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: taskhost.exe process_identifier: 1284	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: KMService.exe process_identifier: 1324	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: conhost.exe process_identifier: 1376	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: sppsvc.exe process_identifier: 1800	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: svchost.exe process_identifier: 1876	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: dwm.exe process_identifier: 1496	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: explorer.exe process_identifier: 1848	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: SearchIndexer.exe process_identifier: 2548	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: thunderbird.exe process_identifier: 3960	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: pw.exe process_identifier: 5008	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: audiodg.exe process_identifier: 7936	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: pw.exe process_identifier: 3516	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: taskhost.exe process_identifier: 176	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: audiolic.exe process_identifier: 3532	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: cmd.exe process_identifier: 7316	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: conhost.exe process_identifier: 6444	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000003d8 process_name: pw.exe process_identifier: 1036	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: cmd.exe process_identifier: 7912	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: conhost.exe process_identifier: 9100	1	1
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 3320	1	1
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: cmd.exe process_identifier: 3684	1	1
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: conhost.exe process_identifier: 3968	1	1
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 6564	1	1
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x00000370 process_name: cmd.exe process_identifier: 5352	1	1
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x00000370 process_name: conhost.exe process_identifier: 2340	1	1
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x00000370 process_name: pw.exe process_identifier: 4440	1	1
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x00000370 process_name: cmd.exe process_identifier: 2736	1	1
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x00000370 process_name: conhost.exe process_identifier: 7184	1	1
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x00000370 process_name: pw.exe process_identifier: 8496	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 3, 2021, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 3, 2021, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 3, 2021, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 3, 2021, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 3, 2021, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 3, 2021, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 3, 2021, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 3, 2021, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 97 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x00000380 process_name: pw.exe process_identifier: 1036		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005e0 process_name: pw.exe process_identifier: 1036		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005e0 process_name: pw.exe process_identifier: 1036		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005e0 process_name: pw.exe process_identifier: 1036		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005e0 process_name: pw.exe process_identifier: 1036		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 1036		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 1036		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 3320		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 3320		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 3320		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 3320		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 3320		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 3320		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 3320		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 3320		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:13 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: audiolic.exe process_identifier: 3532		0	0
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 6564		0	0
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 6564		0	0
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 6564		0	0
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 6564		0	0
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 6564		0	0
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 6564		0	0
Process32NextW July 3, 2021, 10:14 a.m.	snapshot_handle: 0x000005d8 process_name: pw.exe process_identifier: 6564		0	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetect.malware2
MicroWorld-eScan	Trojan.GenericKD.46564545
McAfee	Artemis!0F4DD4417451
Sangfor	Trojan.Win64.Miner.anfi
K7AntiVirus	Trojan ( 0057acbc1 )
Alibaba	Trojan:Win64/Miner.e6a8c736
K7GW	Trojan ( 0057acbc1 )
CrowdStrike	win/malicious_confidence_60% (W)
Arcabit	Trojan.Generic.D23717EF
Cyren	W32/Trojan.KLUU-1232
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Agent.ACYJ
APEX	Malicious
Kaspersky	Trojan.Win64.Miner.anfi
BitDefender	Trojan.GenericKD.46564545
Avast	FileRepMalware
Tencent	Win64.Trojan.Miner.Hfp
Ad-Aware	Trojan.GenericKD.46564545
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Agent.bipal
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
FireEye	Generic.mg.0f4dd44174516703
Emsisoft	Trojan.GenericKD.46564545 (B)
Ikarus	Trojan.Win32.Agent
eGambit	Unsafe.AI_Score_80%
Avira	TR/Agent.bipal
Kingsoft	Win32.Troj.Win64.an.(kcloud)
Microsoft	Ransom:Win32/Crypmod
AegisLab	Trojan.Win64.Miner.4!c
ZoneAlarm	Trojan.Win64.Miner.anfi
GData	Trojan.GenericKD.46564545
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.37165039
MAX	malware (ai score=84)
VBA32	Trojan.Wacatac
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0DFU21
MaxSecure	Trojan-Ransom.Win32.Crypmod.zfq
Fortinet	PossibleThreat.MU
AVG	FileRepMalware
Cybereason	malicious.d9bf43
Panda	Trj/CI.A
Qihoo-360	Win64/Miner.Generic.HwUBQ9oA

1820789375.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All