Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 4, 2021, 5:17 p.m.	Aug. 4, 2021, 5:19 p.m.

Size	598.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9486fe80718f69b103e1166e32ca5621`
SHA256	`7bfa1a2593f74120d8f9ad1cdae68a06f22c86fdcc58eb9ecb3471b500330867`
CRC32	`036164BC`
ssdeep	`12288:murtfEIio0sysZKsyMq13IBgzbV9wgOReg32U:PniFeqZIBalg32U`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

nva.exe "C:\Users\test22\AppData\Local\Temp\nva.exe"
1944
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\lo3FW7Ohf6tr.bat" "
2868
- chcp.com chcp 65001
  2932
- PING.EXE ping -n 10 localhost
  2976
- nva.exe "C:\Users\test22\AppData\Local\Temp\nva.exe"
  2156
  - nva.exe C:\Users\test22\AppData\Local\Temp\nva.exe
    1548

Name	Response	Post-Analysis Lookup
societyf500.ddns.net	A 37.238.146.18	37.238.146.18

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:63203 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 4, 2021, 5:17 p.m.			0	0
IsDebuggerPresent Aug. 4, 2021, 5:17 p.m.			0	0
IsDebuggerPresent Aug. 4, 2021, 5:18 p.m.			0	0
IsDebuggerPresent Aug. 4, 2021, 5:18 p.m.			0	0
IsDebuggerPresent Aug. 4, 2021, 5:19 p.m.			0	0
IsDebuggerPresent Aug. 4, 2021, 5:19 p.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 4, 2021, 5:18 p.m.	buffer: DONT CLOSE THIS WINDOW! console_handle: 0x00000007	1	1
WriteConsoleW Aug. 4, 2021, 5:18 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 4, 2021, 5:18 p.m.	buffer: Active code page: 65001 console_handle: 0x00000013	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 4, 2021, 5:17 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 4, 2021, 5:17 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7509b37e 0x437a1e5 0x437a15a 0x4377d88 0x43773b3 0x4370ff2 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73af1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73af1737 mscorlib+0x2d36ad @ 0x721d36ad mscorlib+0x308f2d @ 0x72208f2d mscorlib+0x3135ed @ 0x722135ed 0x582518 0x582402 0x581d81 0x581c66 system+0x1f92c8 @ 0x70b592c8 system+0x1eca74 @ 0x70b4ca74 system+0x1ec868 @ 0x70b4c868 system+0x1f82b8 @ 0x70b582b8 system+0x1ee54d @ 0x70b4e54d system+0x1f70ea @ 0x70b570ea system+0x1e56c0 @ 0x70b456c0 system+0x1f8215 @ 0x70b58215 system+0x1f6f75 @ 0x70b56f75 system+0x1ee251 @ 0x70b4e251 system+0x1ee229 @ 0x70b4e229 system+0x1ee170 @ 0x70b4e170 0x3ba08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x766b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x766b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x766b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x766b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7717011a system+0x1ebc85 @ 0x70b4bc85 system+0x1f683b @ 0x70b5683b system+0x1a5e44 @ 0x70b05e44 system+0x1fd8a0 @ 0x70b5d8a0 system+0x1fd792 @ 0x70b5d792 system+0x1a14bd @ 0x70b014bd 0x580075 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a82e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73b374ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73b37610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73bc1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73bc1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73bc1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73bc416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7509b479 registers.esp: 2418316 registers.edi: 1955258312 registers.eax: 9699328 registers.ebp: 2418520 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1	0	0
__exception__ Aug. 4, 2021, 5:19 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7509b37e 0x20ca1e5 0x20ca15a 0x20c7d88 0x20c73b3 0x20c0ff2 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73aa1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73aa1737 mscorlib+0x2d36ad @ 0x721d36ad mscorlib+0x308f2d @ 0x72208f2d mscorlib+0x3135ed @ 0x722135ed 0x622518 0x622402 0x621d81 0x621c66 system+0x1f92c8 @ 0x70b592c8 system+0x1eca74 @ 0x70b4ca74 system+0x1ec868 @ 0x70b4c868 system+0x1f82b8 @ 0x70b582b8 system+0x1ee54d @ 0x70b4e54d system+0x1f70ea @ 0x70b570ea system+0x1e56c0 @ 0x70b456c0 system+0x1f8215 @ 0x70b58215 system+0x1f6f75 @ 0x70b56f75 system+0x1ee251 @ 0x70b4e251 system+0x1ee229 @ 0x70b4e229 system+0x1ee170 @ 0x70b4e170 0x2ba08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x766b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x766b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x766b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x766b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7717011a system+0x1ebc85 @ 0x70b4bc85 system+0x1f683b @ 0x70b5683b system+0x1a5e44 @ 0x70b05e44 system+0x1fd8a0 @ 0x70b5d8a0 system+0x1fd792 @ 0x70b5d792 system+0x1a14bd @ 0x70b014bd 0x620075 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a32e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73ae74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73ae7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73b71dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73b71e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73b71f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73b7416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74147f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74144de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7509b479 registers.esp: 4056524 registers.edi: 1955258312 registers.eax: 11075584 registers.ebp: 4056728 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 4, 2021, 5:17 p.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7509b37e
0x437a1e5
0x437a15a
0x4377d88
0x43773b3
0x4370ff2
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73af1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73af1737
mscorlib+0x2d36ad @ 0x721d36ad
mscorlib+0x308f2d @ 0x72208f2d
mscorlib+0x3135ed @ 0x722135ed
0x582518
0x582402
0x581d81
0x581c66
system+0x1f92c8 @ 0x70b592c8
system+0x1eca74 @ 0x70b4ca74
system+0x1ec868 @ 0x70b4c868
system+0x1f82b8 @ 0x70b582b8
system+0x1ee54d @ 0x70b4e54d
system+0x1f70ea @ 0x70b570ea
system+0x1e56c0 @ 0x70b456c0
system+0x1f8215 @ 0x70b58215
system+0x1f6f75 @ 0x70b56f75
system+0x1ee251 @ 0x70b4e251
system+0x1ee229 @ 0x70b4e229
system+0x1ee170 @ 0x70b4e170
0x3ba08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x766b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x766b6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x766b6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x766b6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7717011a
system+0x1ebc85 @ 0x70b4bc85
system+0x1f683b @ 0x70b5683b
system+0x1a5e44 @ 0x70b05e44
system+0x1fd8a0 @ 0x70b5d8a0
system+0x1fd792 @ 0x70b5d792
system+0x1a14bd @ 0x70b014bd
0x580075
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a72652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a8264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a82e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73b374ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73b37610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73bc1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73bc1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73bc1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73bc416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7411f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7509b479
registers.esp: 2418316
registers.edi: 1955258312
registers.eax: 9699328
registers.ebp: 2418520
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

__exception__

Aug. 4, 2021, 5:19 p.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7509b37e
0x20ca1e5
0x20ca15a
0x20c7d88
0x20c73b3
0x20c0ff2
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73aa1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73aa1737
mscorlib+0x2d36ad @ 0x721d36ad
mscorlib+0x308f2d @ 0x72208f2d
mscorlib+0x3135ed @ 0x722135ed
0x622518
0x622402
0x621d81
0x621c66
system+0x1f92c8 @ 0x70b592c8
system+0x1eca74 @ 0x70b4ca74
system+0x1ec868 @ 0x70b4c868
system+0x1f82b8 @ 0x70b582b8
system+0x1ee54d @ 0x70b4e54d
system+0x1f70ea @ 0x70b570ea
system+0x1e56c0 @ 0x70b456c0
system+0x1f8215 @ 0x70b58215
system+0x1f6f75 @ 0x70b56f75
system+0x1ee251 @ 0x70b4e251
system+0x1ee229 @ 0x70b4e229
system+0x1ee170 @ 0x70b4e170
0x2ba08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x766b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x766b6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x766b6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x766b6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7717011a
system+0x1ebc85 @ 0x70b4bc85
system+0x1f683b @ 0x70b5683b
system+0x1a5e44 @ 0x70b05e44
system+0x1fd8a0 @ 0x70b5d8a0
system+0x1fd792 @ 0x70b5d792
system+0x1a14bd @ 0x70b014bd
0x620075
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73a22652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73a3264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73a32e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73ae74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73ae7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73b71dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73b71e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73b71f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73b7416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740cf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74147f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74144de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77199ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77199ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7509b479
registers.esp: 4056524
registers.edi: 1955258312
registers.eax: 11075584
registers.ebp: 4056728
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

societyf500.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (50 out of 108 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00581000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02142000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00891000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00895000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00583000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0430f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04371000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04372000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04374000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04375000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04376000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04301000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04377000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04378000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04379000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0437a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:18 p.m.	process_identifier: 2156 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:18 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 5:18 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 4, 2021, 5:18 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 4, 2021, 5:18 p.m.	process_identifier: 2156 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02250000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00073e00', u'virtual_address': u'0x00002000', u'entropy': 7.974389208655985, u'name': u'.text', u'virtual_size': u'0x00073df4'}

entropy

7.97438920866

description

A section with a high entropy has been found

entropy

0.77508361204

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 4, 2021, 5:17 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 4, 2021, 5:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 56 events)

description	Communications use DNS	rule	Network_DNS
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications use DNS	rule	Network_DNS
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping -n 10 localhost
cmdline	chcp 65001

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 2372 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	1	0	0
NtAllocateVirtualMemory Aug. 4, 2021, 5:19 p.m.	process_identifier: 1548 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c	1	0	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NVA				reg_value	"C:\Users\test22\AppData\Local\NVA.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NVA				reg_value	"C:\Users\test22\AppData\Local\NVA.exe"

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1944 manipulating memory of non-child process 2372
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 2372 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	1	0	0

Potential code injection by writing to the memory of another process (9 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1944 injected into non-child 2372
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõkÚ^àÈ~ç @ @@0çK H.textÇ È `.rsrc Ê@@.reloc Ö@B base_address: 0x00400000 process_identifier: 2372 process_handle: 0x00000294	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: 8Ph ¼×4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\|StringFileInfoX000004b0Comments"CompanyNameDFileDescriptionQuasar Client,FileVersion1.4.06InternalNameClient.exeTLegalCopyrightCopyright © MaxXor 2020LegalTrademarks>OriginalFilenameClient.exe.ProductNameQuasar0ProductVersion1.4.08Assembly Version1.4.0.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true/pm</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly> base_address: 0x00480000 process_identifier: 2372 process_handle: 0x00000294	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: à7 base_address: 0x00482000 process_identifier: 2372 process_handle: 0x00000294	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2372 process_handle: 0x00000294	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:19 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõkÚ^àÈ~ç @ @@0çK H.textÇ È `.rsrc Ê@@.reloc Ö@B base_address: 0x00400000 process_identifier: 1548 process_handle: 0x0000028c	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:19 p.m.	buffer: 8Ph ¼×4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\|StringFileInfoX000004b0Comments"CompanyNameDFileDescriptionQuasar Client,FileVersion1.4.06InternalNameClient.exeTLegalCopyrightCopyright © MaxXor 2020LegalTrademarks>OriginalFilenameClient.exe.ProductNameQuasar0ProductVersion1.4.08Assembly Version1.4.0.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true/pm</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly> base_address: 0x00480000 process_identifier: 1548 process_handle: 0x0000028c	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:19 p.m.	buffer: à7 base_address: 0x00482000 process_identifier: 1548 process_handle: 0x0000028c	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:19 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1548 process_handle: 0x0000028c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1944 injected into non-child 2372
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõkÚ^àÈ~ç @ @@0çK H.textÇ È `.rsrc Ê@@.reloc Ö@B base_address: 0x00400000 process_identifier: 2372 process_handle: 0x00000294	1	1	0
WriteProcessMemory Aug. 4, 2021, 5:19 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõkÚ^àÈ~ç @ @@0çK H.textÇ È `.rsrc Ê@@.reloc Ö@B base_address: 0x00400000 process_identifier: 1548 process_handle: 0x0000028c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1944 called NtSetContextThread to modify thread in remote process 2372
Process injection	Process 2156 called NtSetContextThread to modify thread in remote process 1548
NtSetContextThread Aug. 4, 2021, 5:17 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4712318 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000290 process_identifier: 2372	1	0	0
NtSetContextThread Aug. 4, 2021, 5:19 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4712318 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000288 process_identifier: 1548	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1944 resumed a thread in remote process 2372
Process injection	Process 2868 resumed a thread in remote process 2156
Process injection	Process 2156 resumed a thread in remote process 1548
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2372	1	0	0
NtResumeThread Aug. 4, 2021, 5:18 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2156	1	0	0
NtResumeThread Aug. 4, 2021, 5:19 p.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 1548	1	0	0

Executed a process and injected code into it, probably while unpacking (33 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1944	1	0
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1944	1	0
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 1944	1	0
CreateProcessInternalW Aug. 4, 2021, 5:17 p.m.	thread_identifier: 2376 thread_handle: 0x00000290 process_identifier: 2372 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\nva.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000294	1	1
NtGetContextThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x00000290	1	0
NtAllocateVirtualMemory Aug. 4, 2021, 5:17 p.m.	process_identifier: 2372 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	1	0
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõkÚ^àÈ~ç @ @@0çK H.textÇ È `.rsrc Ê@@.reloc Ö@B base_address: 0x00400000 process_identifier: 2372 process_handle: 0x00000294	1	1
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: base_address: 0x00402000 process_identifier: 2372 process_handle: 0x00000294	1	1
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: 8Ph ¼×4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\|StringFileInfoX000004b0Comments"CompanyNameDFileDescriptionQuasar Client,FileVersion1.4.06InternalNameClient.exeTLegalCopyrightCopyright © MaxXor 2020LegalTrademarks>OriginalFilenameClient.exe.ProductNameQuasar0ProductVersion1.4.08Assembly Version1.4.0.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true/pm</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly> base_address: 0x00480000 process_identifier: 2372 process_handle: 0x00000294	1	1
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: à7 base_address: 0x00482000 process_identifier: 2372 process_handle: 0x00000294	1	1
WriteProcessMemory Aug. 4, 2021, 5:17 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2372 process_handle: 0x00000294	1	1
NtSetContextThread Aug. 4, 2021, 5:17 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4712318 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000290 process_identifier: 2372	1	0
NtResumeThread Aug. 4, 2021, 5:17 p.m.	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 2372	1	0
CreateProcessInternalW Aug. 4, 2021, 5:18 p.m.	thread_identifier: 2936 thread_handle: 0x00000088 process_identifier: 2932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\chcp.com track: 1 command_line: chcp 65001 filepath_r: C:\Windows\system32\chcp.com stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW Aug. 4, 2021, 5:18 p.m.	thread_identifier: 2980 thread_handle: 0x00000088 process_identifier: 2976 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping -n 10 localhost filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW Aug. 4, 2021, 5:18 p.m.	thread_identifier: 1276 thread_handle: 0x00000084 process_identifier: 2156 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\nva.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\nva.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\nva.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
NtResumeThread Aug. 4, 2021, 5:18 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2156	1	0
NtResumeThread Aug. 4, 2021, 5:18 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2156	1	0
NtResumeThread Aug. 4, 2021, 5:18 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2156	1	0
NtResumeThread Aug. 4, 2021, 5:18 p.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 2156	1	0
CreateProcessInternalW Aug. 4, 2021, 5:19 p.m.	thread_identifier: 2040 thread_handle: 0x00000288 process_identifier: 1548 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\nva.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000028c	1	1
NtGetContextThread Aug. 4, 2021, 5:19 p.m.	thread_handle: 0x00000288	1	0
NtAllocateVirtualMemory Aug. 4, 2021, 5:19 p.m.	process_identifier: 1548 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c	1	0
WriteProcessMemory Aug. 4, 2021, 5:19 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõkÚ^àÈ~ç @ @@0çK H.textÇ È `.rsrc Ê@@.reloc Ö@B base_address: 0x00400000 process_identifier: 1548 process_handle: 0x0000028c	1	1
WriteProcessMemory Aug. 4, 2021, 5:19 p.m.	buffer: base_address: 0x00402000 process_identifier: 1548 process_handle: 0x0000028c	1	1
WriteProcessMemory Aug. 4, 2021, 5:19 p.m.	buffer: 8Ph ¼×4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\|StringFileInfoX000004b0Comments"CompanyNameDFileDescriptionQuasar Client,FileVersion1.4.06InternalNameClient.exeTLegalCopyrightCopyright © MaxXor 2020LegalTrademarks>OriginalFilenameClient.exe.ProductNameQuasar0ProductVersion1.4.08Assembly Version1.4.0.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true/pm</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly> base_address: 0x00480000 process_identifier: 1548 process_handle: 0x0000028c	1	1
WriteProcessMemory Aug. 4, 2021, 5:19 p.m.	buffer: à7 base_address: 0x00482000 process_identifier: 1548 process_handle: 0x0000028c	1	1
WriteProcessMemory Aug. 4, 2021, 5:19 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1548 process_handle: 0x0000028c	1	1
NtSetContextThread Aug. 4, 2021, 5:19 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4712318 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000288 process_identifier: 1548	1	0
NtResumeThread Aug. 4, 2021, 5:19 p.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 1548	1	0
NtResumeThread Aug. 4, 2021, 5:19 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1548	1	0
NtResumeThread Aug. 4, 2021, 5:19 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1548	1	0
NtResumeThread Aug. 4, 2021, 5:19 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 1548	1	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Lionic	Trojan.MSIL.Quasar.4!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.9486fe80718f69b1
McAfee	RDN/Generic.grp
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0057eea61 )
Alibaba	Trojan:MSIL/Kryptik.b45f235e
K7GW	Trojan ( 0057eea61 )
Cyren	W32/Trojan.CION-4018
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.ABUK
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.MSIL.Quasar.gen
BitDefender	Trojan.GenericKD.46569617
NANO-Antivirus	Trojan.Win32.Quasar.ixhcsx
MicroWorld-eScan	Trojan.GenericKD.46569617
Avast	Win32:MalwareX-gen [Trj]
Tencent	Msil.Trojan.Quasar.Htby
Ad-Aware	Trojan.GenericKD.46569617
Emsisoft	Trojan.GenericKD.46569617 (B)
Comodo	Malware@#1caxji34vkrhu
DrWeb	Trojan.Inject4.13548
Zillya	Trojan.Quasar.Win32.5235
TrendMicro	TROJ_GEN.R011C0PG521
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
Sophos	Mal/Generic-S
Ikarus	Trojan.Inject
Jiangmin	Trojan.MSIL.aesie
Avira	TR/Kryptik.qvofh
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Agent.oa
Microsoft	Trojan:Win32/AgentTesla!ml
GData	Trojan.GenericKD.46569617
AhnLab-V3	Trojan/Win.Generic.C4542132
BitDefenderTheta	Gen:NN.ZemsilF.34050.Lm0@aCuHmP
ALYac	Trojan.GenericKD.46569617
MAX	malware (ai score=80)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Backdoor.Quasar
TrendMicro-HouseCall	TROJ_GEN.R011C0PG521
Yandex	Trojan.Quasar!T5sEaD+qGKI
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	MSIL/Kryptik.ABRS!tr
MaxSecure	Trojan.Malware.73405263.susgen
AVG	Win32:MalwareX-gen [Trj]

nva.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All