Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 13, 2021, 8:03 p.m.	Aug. 13, 2021, 8:12 p.m.

Size	376.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ca0bfb0e149468f828793f18cd1db393`
SHA256	`323ea92408f9dfb0598cea001209880501388393ed76e9f20974b2819141ca9a`
CRC32	`87C26252`
ssdeep	`6144:MkyLEbWaR5CcUdoVjOU7i2P2P25rrrrDL:dUaWaR5vUKsUeQQ0rrrrD`
Yara	Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

%E8%BD%AF%E4%BB%B6%E6%8E%88%E6%9D%83%E7%A8%8B%E5%BA%8F.exe "C:\Users\test22\AppData\Local\Temp\%E8%BD%AF%E4%BB%B6%E6%8E%88%E6%9D%83%E7%A8%8B%E5%BA%8F.exe"
1764

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.229.126.73	Active	Moloch
144.48.240.173	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49163 -> 144.48.240.173:29106	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49164 -> 144.48.240.173:29106	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49163 -> 144.48.240.173:29106	2016698	ET HUNTING Suspicious services.exe in URI	Potentially Bad Traffic
TCP 192.168.56.102:49164 -> 144.48.240.173:29106	2016698	ET HUNTING Suspicious services.exe in URI	Potentially Bad Traffic
TCP 144.48.240.173:29106 -> 192.168.56.102:49164	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 144.48.240.173:29106 -> 192.168.56.102:49163	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 144.48.240.173:29106 -> 192.168.56.102:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 144.48.240.173:29106 -> 192.168.56.102:49164	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 144.48.240.173:29106 -> 192.168.56.102:49164	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 144.48.240.173:29106 -> 192.168.56.102:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 144.48.240.173:29106 -> 192.168.56.102:49164	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 144.48.240.173:29106 -> 192.168.56.102:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 144.48.240.173:29106 -> 192.168.56.102:49163	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 144.48.240.173:29106 -> 192.168.56.102:49163	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 144.48.240.173:29106 -> 192.168.56.102:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 144.48.240.173:29106 -> 192.168.56.102:49163	2014520	ET INFO EXE - Served Attached HTTP	Misc activity

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 13, 2021, 8:02 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

InstallShield 2000

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 13, 2021, 8:02 p.m.	total_number_of_free_bytes: 10932813824 free_bytes_available: 10932813824 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (1 event)

file	c:\services.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Aug. 13, 2021, 8:02 p.m.	service_start_name: start_type: 2 password: display_name: Muykuy ekcaccgm filepath: C:\Program Files (x86)\Ajtydum.exe service_name: Rstrtb fnvpfsvi filepath_r: C:\Program Files (x86)\Ajtydum.exe desired_access: 983551 service_handle: 0x008dc2d0 error_control: 1 service_type: 272 service_manager_handle: 0x008ac438	1	9290448	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (46 events)

Time & API	Arguments	Status	Return
Process32FirstW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: [System Process] process_identifier: 0	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: System process_identifier: 4	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: smss.exe process_identifier: 228	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: csrss.exe process_identifier: 308	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: wininit.exe process_identifier: 348	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: csrss.exe process_identifier: 368	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: winlogon.exe process_identifier: 412	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: services.exe process_identifier: 448	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: lsass.exe process_identifier: 464	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: lsm.exe process_identifier: 472	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: svchost.exe process_identifier: 584	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: svchost.exe process_identifier: 660	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: svchost.exe process_identifier: 736	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: svchost.exe process_identifier: 820	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: svchost.exe process_identifier: 852	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: audiodg.exe process_identifier: 912	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: svchost.exe process_identifier: 1004	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: svchost.exe process_identifier: 312	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: spoolsv.exe process_identifier: 1032	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: svchost.exe process_identifier: 1072	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: taskhost.exe process_identifier: 1140	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: dwm.exe process_identifier: 1204	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000bc process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: svchost.exe process_identifier: 1432	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: IMEDICTUPDATE.EXE process_identifier: 1476	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: svchost.exe process_identifier: 1844	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: pw.exe process_identifier: 1996	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: SearchIndexer.exe process_identifier: 748	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: taskeng.exe process_identifier: 2932	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: WmiPrvSE.exe process_identifier: 2160	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: svchost.exe process_identifier: 2196	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: mobsync.exe process_identifier: 2068	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: pw.exe process_identifier: 2628	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: wsqmcons.exe process_identifier: 264	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: taskhost.exe process_identifier: 1276	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: sdclt.exe process_identifier: 2076	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: schtasks.exe process_identifier: 2560	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: conhost.exe process_identifier: 2616	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: cmd.exe process_identifier: 2296	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: conhost.exe process_identifier: 2356	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: SearchProtocolHost.exe process_identifier: 196	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: pw.exe process_identifier: 1608	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: SearchFilterHost.exe process_identifier: 560	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000000c4 process_name: %E8%BD%AF%E4%BB%B6%E6%8E%88%E6%9D%83%E7%A8%8B%E5%BA%8F.exe process_identifier: 1764	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 2744	1	1
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 13, 2021, 8:02 p.m.	process_identifier: 1764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 45056 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process %e8%bd%af%e4%bb%b6%e6%8e%88%e6%9d%83%e7%a8%8b%e5%ba%8f.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Aug. 13, 2021, 8:02 p.m.	buffer: HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 88420 Accept-Ranges: bytes Server: HFS 2.3g Set-Cookie: HFS_SID_=0.846038175281137; path=/; HttpOnly Last-Modified: Fri, 02 Jul 2021 03:56:08 GMT Content-Disposition: attachment; filename="services.exe"; MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ %^gäD04äD04äD04X<4åD04'Km4êD04gX>4åD04[;4åD04[:4ïD04[44æD04Òb;4æD04äD14=D04Òb44çD04[;4íD04#B64åD04RichäD04PEL\ï*WàD¼N`@0uÈÜ`D`\|.textCD `.rdata` H@@.dataÄh@À.rsrc n@@ received: 1024 socket: 700	1	1024	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 80 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0
Process32NextW Aug. 13, 2021, 8:02 p.m.	snapshot_handle: 0x000003d8 process_name: Ajtydum.exe process_identifier: 7929972		0	0

Communicates with host for which no DNS query was performed (2 events)

host	103.229.126.73
host	144.48.240.173

Installs itself for autorun at Windows startup (1 event)

service_name

Rstrtb fnvpfsvi

service_path

C:\Program Files (x86)\Ajtydum.exe

Expresses interest in specific running processes (2 events)

process	%e8%bd%af%e4%bb%b6%e6%8e%88%e6%9d%83%e7%a8%8b%e5%ba%8f.exe
process: potential process injection target	explorer.exe

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Farfli.m!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Trojan.Malware.xmW@a8KOUHe
FireEye	Generic.mg.ca0bfb0e149468f8
CAT-QuickHeal	Backdoor.Farfli
Qihoo-360	Win32/Backdoor.Farfli.HwIAzAsA
ALYac	Gen:Trojan.Malware.xmW@a8KOUHe
Cylance	Unsafe
Zillya	Backdoor.Farfli.Win32.9121
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005631771 )
Alibaba	Backdoor:Win32/Kryptik.acfe42dd
K7GW	Trojan ( 005631771 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/Farfli.CW.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HCAH
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.Win32.Farfli.gen
BitDefender	Gen:Trojan.Malware.xmW@a8KOUHe
NANO-Antivirus	Trojan.Win32.Fugrafa.gsuiii
Avast	Win32:BackdoorX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10ce3d7f
Ad-Aware	Gen:Trojan.Malware.xmW@a8KOUHe
Emsisoft	Gen:Trojan.Malware.xmW@a8KOUHe (B)
Comodo	Backdoor.Win32.Farfli.FK@7jqjxo
DrWeb	Trojan.Siggen11.63246
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0PH621
McAfee-GW-Edition	BehavesLike.Win32.PWSZbot.fz
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Injector
Jiangmin	Backdoor.Farfli.eqx
Avira	HEUR/AGEN.1133195
Antiy-AVL	Trojan/Generic.ASMalwS.2FBD4CE
Kingsoft	Win32.Hack.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.oa!s1
Microsoft	Trojan:Win32/Multiverze
ViRobot	Trojan.Win32.Z.Farfli.385024.A
GData	Gen:Trojan.Malware.xmW@a8KOUHe
Cynet	Malicious (score: 99)
AhnLab-V3	Malware/Win32.RL_Generic.R299466
McAfee	GenericRXLP-OX!CA0BFB0E1494
MAX	malware (ai score=89)
VBA32	BScope.Backdoor.Farfli
Malwarebytes	Backdoor.Farfli
TrendMicro-HouseCall	TROJ_GEN.R002C0PH621
Rising	Trojan.Generic@ML.100 (RDML:DJMH8sHhmyUpPg6hCfv5Eg)

%E8%BD%AF%E4%BB%B6%E6%8E%88%E6%9D%83%E7%A8%8B%E5%BA%8F.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All