Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 30, 2021, 8:46 p.m.	July 30, 2021, 8:48 p.m.

Size	56.0KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`ab99e71c87f024b99c10c02f88b3e40b`
SHA256	`ae23b1d2d4ab785d755af246d6d82fca9fab091dbb4f886ac136812805354efd`
CRC32	`3C5655BE`
ssdeep	`768:noyjFenzoDcTEZF2VtC7Nrcti/S/Lr1teel6+:nSkITZCOt2wrzl6+`
Yara	UPX_Zero - UPX packed file IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

29.exe "C:\Users\test22\AppData\Local\Temp\29.exe"
2648
- 29.exe "C:\Users\test22\AppData\Local\Temp\29.exe" -a
  2076
rundll32.exe rundll32.exe "C:\Users\test22\AppData\Local\Temp\sqlite.dll",global
1048
- rundll32.exe rundll32.exe "C:\Users\test22\AppData\Local\Temp\sqlite.dll",global
  2696

Name	Response	Post-Analysis Lookup
live.goatgame.live	A 104.21.70.98 A 172.67.222.125	104.21.70.98
google.vrthcobj.com		34.97.69.225
ol.gamegame.info	A 104.21.21.221 A 172.67.200.215	172.67.200.215
by.dirfgame.com	A 104.21.78.28 A 172.67.215.92	172.67.215.92
google.vrthcobj.com	A 34.97.69.225	34.97.69.225
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
104.21.21.221	Active	Moloch
104.21.78.28	Active	Moloch
164.124.101.2	Active	Moloch
172.67.222.125	Active	Moloch
208.95.112.1	Active	Moloch
34.97.69.225	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49199 -> 172.67.222.125:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49207 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49207 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49207 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49207 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49199 172.67.222.125:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	6e:af:7d:03:68:a7:53:bb:5d:6a:ab:d0:a0:25:76:e7:15:3c:7d:ae

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 30, 2021, 8:46 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 30, 2021, 8:46 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 30, 2021, 8:46 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST http://by.dirfgame.com/report7.4.php
suspicious_features	POST method with no referer header				suspicious_request	POST http://ol.gamegame.info/report7.4.php

Performs some HTTP requests (5 events)

request	GET http://ip-api.com/json/?fields=8198
request	POST http://by.dirfgame.com/report7.4.php
request	POST http://ol.gamegame.info/report7.4.php
request	GET https://live.goatgame.live/userf/dat/29/sqlite.dat
request	GET https://live.goatgame.live/userf/dat/sqlite.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://by.dirfgame.com/report7.4.php
request	POST http://ol.gamegame.info/report7.4.php

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d7d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 region_size: 1052672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 region_size: 389120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72cc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75111000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75241000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74f41000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2021, 8:46 p.m.	process_identifier: 2696 region_size: 315392 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW July 30, 2021, 8:46 p.m.	snapshot_handle: 0x00000120 process_name: mobsync.exe process_identifier: 2492	1	1
Process32NextW July 30, 2021, 8:46 p.m.	snapshot_handle: 0x00000120 process_name: taskhost.exe process_identifier: 3020	1	1
Process32NextW July 30, 2021, 8:46 p.m.	snapshot_handle: 0x00000120 process_name: WmiPrvSE.exe process_identifier: 2856	1	1
Process32NextW July 30, 2021, 8:46 p.m.	snapshot_handle: 0x00000120 process_name: rundll32.exe process_identifier: 1048	1	1
Process32NextW July 30, 2021, 8:46 p.m.	snapshot_handle: 0x00000120 process_name: rundll32.exe process_identifier: 2696	1	1

Expresses interest in specific running processes (1 event)

process

rundll32.exe

Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExW July 30, 2021, 8:46 p.m.	key_handle: 0x00000124 regkey_r: 1 reg_type: 3 (REG_BINARY) value: ÁÕx4XÁåH<PÁýPwËoÜØ_µHÅµ¾HÅ¼«HcáA@Å±4^¯fZÅÊC@K°h·?ËjètM=ãK£¹áü÷¶Ãc~¹²$ ?xÃ{aLÇs°Íh$ÏüsEø½ç@tPAÊ]ù¸003ú6)Ã{¸ÍE´H±Æ·¹ÎMÅÉ`tÃ]ÁÍ`dÁÂGÅh»ÿ^ßptÃE&÷3áù¸HÃE¾(Ã×x\|ÃçHD(ÃÿPL ËGôqÃ çÁÕx<Åh,]ÅáHñÉm,Àe-Ã!E`3èâ.DDHîçLLLHÃÛHTÇÙB]ÆÉr}ÈEÏû~I#\|·@NRÆPÉ7¼BÉÌüp:ò2z½ÃÎòÿ)øTK¸ÀL½ThÃÞêúÎRÖ±¼ÃÄº[B!ãË·=ÊhêtªÀ4³pºÊúQiJó±x`AnóÁÏXNÛÅûrEN±½J¶<ÇÓyc¤c1~"yò8zBaj ;»¾ÊÊe©3vJÃÏ¸£@ÊÂUUJËCØJÓrêÞ7µÎ&JÂsëß!¦Aø.@\|2~oNÇH<>Î±~¦$ËÍÏJKP{û´®ÉÌ@p·OÁN±¾I¶?Âû¹y`§eXXJ>==>§"ÍÅ K¸ûòÁ#ÀL¼eIOfïÕBE´kWÅÀL[ß±¿À Æ¹X@#ãÛ·>Ëiët^õ;¡Ñï§±·ÅÀ8/]÷©¿ìOÃI)é1óÃ¸ÔðHÉEÀ_ËoÄÀûí·ËkáAËGìëÁÕx,]ËoÜxÃrrQcõ;Q!ïFáü÷¶ÁÍ`À6#F²$ ?xÃc9,F;ÂÁ ¬LÇkTAFð¾õz4ÇsGRFR¹Á ¤èu`·ÁÍ`lÇckx»3t4ó)¼V¸õZf_>s~²½ f_>r+KtÅ Hsâ«§T½nEt}½<u¶{¸ fãÁz(bÃA²z(vÄHðf_}zaÑàK¸óz8JÁ¹ úBZÉÜPLÈE´VkÄÊE:øÌþ¶JÑËBéarë¬ÔúÏÇr}~ñÅß¢»Ïßjjgá¾5FÒÊI¶µoù´'zó»OqÀAÊJxrCIÊÈGENHC;áÑÂÀÖsiÌÄ¶üËCJ¶ÚáêNLÏZÊkét¾ojn_¾øù@Aù¸00AÊYáú6ÃSÍEÏ_%»ÏÏzjÃ\ÃC¾(vúN¸^"wr8u:Èäh¸rÅÁÊJÚE´VgÎJÖEÀE´aTÊZÒHÅKKÔ¾(vú¯'Bî]WR8t²ÇçHõZf_:wweïK+GèEHKøÂ>sv7°EÏ D}¶;´HÅOÇPgto»NÏÉFEBË¼ý½AÊKËkà@9¤/³UE¾EwÁÇBMJ¸¶¸¹ððAN¸w¦Eâx¹ f]ú´dKÀaðJÇOMHÊBÃOfÿ¡¹vúBÉFLKÓ[NÏÉFEBË½ÖïÇ/¬EÏHÅ¹7EÏÅBHÏå~XKÈÏ{¼Oè§Oð«pmvúÇk¨ÍEÏü¾Êb¤t7z3ÂEÎr±ÃXÂGÍW«\| ¸e9ìOËAÀJKÐ,k°¤EvúÍEÏÄ½´Â+g·:Çv´&äHÆ;{u0\|Ê÷ËEÒEµôÍÇ/¬LÇçHdÏ' EÀE´S¬#¤E´iCðâ¿«ÇOÇH+éB¾ÁÖouvóKôW`Ã@KøºÌýq])(REµhXvóóáÃ@4(äáù¸HÃ@¾+=OZtMÃ×xT8ËGôqVRÌXîè qÍ 666Ûyçpé âÇù:`äÔ¡ð"+¬¨¤ðV #ëCËN ÊD@GLZ`` (>TU%'à!@ÃÆ[M07 àÐ±80%½ ÊÄÐ6êÝÌÛrª/îççÿ}õtL) `¥Çú^¡'çÔ¢bÁ±»Ø@CIÂÁ¡Ðv:úÁSÁv÷ ÉÇÀúøú:Z DBÇÏÕ÷å k»ÙÜÞËÒå¹õüÞÈRÀTû{à³ÇKÃäÿoooSSXH éõ½¯ÌÌHËoì(Àï3úÉEvóóáÁ]I·¨ÀÀÚÀè¸Ý@FÆFNXúR#Gì á7r¤Ëÿó©â5¸®'=øÀÃÖbhâá,Ìà3Åö"4öà!áÃ#ãÀfï¾äÀÃ èóûCu80xÅáHhÃ #y_"öÁ ÅE À3SHcË¨ÅÙp0»»b&¹ê®¾E[)sZdh):òø°¹QÃÆMÈ{þ%t;¥¢£ýuMYòàÍ¡ô 8Ùèø[¬··äê»Ëjîï7Æñ©ÄôÏc[õ¤QéKéªè¸¸ã×`MüöÚóç7å6ááú6êQ×&uÈilJÕE´d°¼ÀJBIÀúÄU¨¹¼E@håÌ_òiÈÃ¢<ým©Xê?9Ä@ÑELwvÁ\x,@ÁåH4HÁýP<PÁõl4av((hÅA[HÃRÁPÁJ±ê.1Õá²æA´3ÞKàìÑÅö[xÁâ;0`8µÍ5wdï"+Z<æØ+(Cà§Ï½ÐáIÁÎÿPLYXåT%!6++à Á!D'}bwHËmït´ÃdHX4ßÿPd@HÃ÷XlÁ KÁH`ïD ®!@!`ÇD2 @AÆE±1ÇDæbZ_ ! '_ÈÀX×x0) aTÉ!Ãv¶þQÃñÄ¥ó5Âu\|·"¸!IÃD':XLAY"æÑiEH<9xß±tQÖ<I Ãë9dP\@Õ!ÈÂyÏê8×[¿Àk!\\| Ag¬~q<$Vù°_¿ó4ÇóÕÄó«z3XX00ÀÓI5ÿIï·;:¡º tNÊñyêó§s1ãø~çïü´±µ&uü41 0Fj{BL÷P35 µËyàbHÂP isbr0Ñéìt¼YGPïêÒuÀE·ê¿.PB+y]\±çö¿·Ú3 !ÞäKj¨9®MÊ{¸ÌaZ£flñ"r´Dµe»¯gX$0Ìzs8Ç+ãKµ!Pu%<tÃ^/£HÇëÈÔ$ 91RozSm0Ãßôs»êî«}¥+hµÊ$ûÃÅÍ÷vÀkGx£Uh)Æ!¾Ñê¼¹EµsMß¤¤ìHD(ÅÉ`DP°Ä`dÁ1?!v`Á;ÇDnñgoká<G4 µL//h4HÁ ¶Eô[z³@19ÅÂwâÂÄ¤Ã¬ê¯´r6P³µtRò®øÆ¶u[xtÅÒ~AgsPßG)[@öæÈû º ½uÃÌOAI@ÃápSRTÃ[ÃÄ ¥ÈÆ]uÅÖôóÄH+4o\|ÉËv³2°QCÄ§ê`tº3Ä ãSÅÆ@j[3_ÇT@#/ÌA¶¿Q\íáõãbsáç#ÁâO\|³Ò5ÔªÐzØBÛ~pKù@/$Oh((ëãj°¢¨¿â@ívÅpPS+ÈónH{ê¢#RgêêÇQ¢²ÔP6ò+º¡âòi[ôû´îççi<Íùqr`Òò¶ÃTrOíAfË+¬,{$HØ)KjÞF8o}µ¡@\oÌ2Ë ÙAÅÁ`r/ê\|ôÕÏÕ\|§»}Ãu71FJÙ ÜF'-lÂ0ôïizìÉ~³YÊC+JÕÿ¦QÆ»6 pE´ùêTJªÐføêç²EIDTK(¥þ¿ÔG@K7@ÇWÀâsÉÀúSwÆñjÙà¥-óÂõ¸£è{¼ÇiâHÃb`>8¹-EÍzðAÈÊkkÓM/rQ¶¯À[SEÄòkUÈxtÍ+ìBGù¨±¦ta.9VHÃÎu\|Ç@Ä·úemÎMÁD`qÂ_Åëâvô÷ñ0÷Æ23±õÕýªE`xòÁÎu`ZÁëáBÃ@#T#ñ8xD,Ü®l:i4E8¨ÔL(^N`a¤¦¢Ú]L©¦:â¸~tEQ·gB°}ðY¨8¬TÿÛËjÀrMLÖáàÉÏ¹gw_¹Î¨¦G OÁ1+Sº¶uÿ$S%î9j<$§Þ¶+ºÀcä<Í´6óãÅÌe%H@ÍL½yÏÜW9ûZ8ãZF$=JIÅh,[ÕHÁ"çDê¿x MÅí(¸¹A"{ü¤T´Å²³;Eæ+ (ÃC{òn¼<4D¹ó5J;kàEwß¥ÃJñtÌ$Fs Lh£CÂ»ðøµæùî[2zù@5q7ó+î´µÅáýÉÑ3aØ@Uv×Æ)O4x<¤«ë¢_,%l$bDoêû³{QÊK%p?ûÐs¼ÏIÅç regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{LJU50KX1-5I52-VT6Q-WSWM-U2Z9XL21ZV61}\1	1	0	0

Generates some ICMP traffic

Uses WMI to create a new process (1 event)

Time & API	Arguments	Status	Return	Repeated
IWbemServices_ExecMethod July 30, 2021, 8:46 p.m.	inargs.CurrentDirectory: None inargs.CommandLine: rundll32.exe "C:\Users\test22\AppData\Local\Temp\sqlite.dll",global inargs.ProcessStartupInformation: None outargs.ProcessId: 1048 outargs.ReturnValue: 0 flags: 0 method: Create class: Win32_Process	1	0	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Lionic	Trojan.Win32.Generic.4!c
DrWeb	Trojan.DownLoader40.49527
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.37307201
Malwarebytes	Trojan.Downloader
Sangfor	Riskware.Win32.Agent.ky
Alibaba	TrojanDownloader:Win32/MalwareX.f55c1a01
K7GW	Trojan-Downloader ( 0057feab1 )
K7AntiVirus	Trojan-Downloader ( 0057feab1 )
Arcabit	Trojan.Generic.D2394341
Cyren	W32/Trojan.WHQN-5155
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.FTP
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Agent.gen
BitDefender	Trojan.GenericKD.37307201
MicroWorld-eScan	Trojan.GenericKD.37307201
Avast	Win32:MalwareX-gen [Trj]
Ad-Aware	Trojan.GenericKD.37307201
Emsisoft	Trojan.GenericKD.37307201 (B)
Comodo	Malware@#3ugxpsnpnbves
VIPRE	Win32.Malware!Drop
TrendMicro	TROJ_GEN.R002C0PGT21
McAfee-GW-Edition	RDN/Generic.grp
FireEye	Trojan.GenericKD.37307201
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.Agent
Avira	TR/Dldr.Agent.cqkvi
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Malware.Win32.MigratedCloud.cc
Microsoft	Trojan:Script/Phonzy.A!ml
ZoneAlarm	HEUR:Trojan.Win32.Agent.gen
GData	Trojan.GenericKD.37307201
AhnLab-V3	Trojan/Win.MalwareX-gen.C4566285
McAfee	RDN/Generic.grp
MAX	malware (ai score=88)
VBA32	BScope.Trojan.Wacatac
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.R002C0PGT21
Fortinet	W32/PossibleThreat
AVG	Win32:MalwareX-gen [Trj]
Panda	Trj/GdSda.A
Qihoo-360	Win32/Trojan.Generic.HwcB3n8A

29.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All