Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 14, 2021, 3:38 p.m.	Oct. 14, 2021, 3:51 p.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`aade455507f667318c83c42a95b3fc3c`
SHA256	`b774d45c6788cc48716eee3e81002e5b74996a3c2610967f3d19115646ca4d6a`
CRC32	`E1F73925`
ssdeep	`49152:Xe8CI/Zr5B6t4JP24kCvC/J3iSI3AvYwnuSg:O8CI/V6ta+9CmZJvYw`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description)

ConsoleApp18.exe "C:\Users\test22\AppData\Local\Temp\ConsoleApp18.exe"
2220
- ConsoleApp18.exe C:\Users\test22\AppData\Local\Temp\ConsoleApp18.exe
  1420

Name	Response	Post-Analysis Lookup
lplazadtemins.duckdns.org	A 194.147.140.45	194.147.140.45

IP Address	Status	Action
164.124.101.2	Active	Moloch
194.147.140.45	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49202 194.147.140.45:443	None	None	None

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 14, 2021, 3:38 p.m.			0	0
IsDebuggerPresent Oct. 14, 2021, 3:38 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 14, 2021, 3:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007b05d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 14, 2021, 3:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007b05d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 14, 2021, 3:39 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007b0658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 14, 2021, 3:38 p.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Oct. 14, 2021, 3:39 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1 0x4206240 0x4207e1d 0x4208639 0x4205d84 0x4205981 0x420511e 0x4205545 0x420a7c7 mscorlib+0x2d5861 @ 0x6ff15861 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x357ee CorDllMainForThunk-0x56d0d clr+0xfa867 @ 0x7283a867 DllGetClassObjectInternal+0x358c6 CorDllMainForThunk-0x56c35 clr+0xfa93f @ 0x7283a93f PreBindAssemblyEx+0x107ff StrongNameSignatureVerification-0x174c clr+0x18836a @ 0x728c836a CreateHistoryReader+0x48031 PostErrorVA-0x120f2e clr+0x257876 @ 0x72997876 CreateAssemblyNameObject+0x28676 GetMetaDataInternalInterface-0xfdf9 clr+0x55b0f @ 0x72795b0f GetPrivateContextsPerfCounters+0x13ac DllGetActivationFactoryImpl-0x134b9 clr+0x8932e @ 0x727c932e mscorlib+0x2d40b3 @ 0x6ff140b3 mscorlib+0x2d3909 @ 0x6ff13909 mscorlib+0x2e6d02 @ 0x6ff26d02 mscorlib+0x2e6ca9 @ 0x6ff26ca9 0x420b6a5 mscorlib+0xd3689c @ 0x7097689c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 CopyPDBs+0x4a96 DllCanUnloadNowInternal-0x3c541 clr+0x19a6d8 @ 0x728da6d8 CopyPDBs+0x4af5 DllCanUnloadNowInternal-0x3c4e2 clr+0x19a737 @ 0x728da737 PreBindAssemblyEx+0x7116 StrongNameSignatureVerification-0xae35 clr+0x17ec81 @ 0x728bec81 PreBindAssemblyEx+0x71be StrongNameSignatureVerification-0xad8d clr+0x17ed29 @ 0x728bed29 mscorlib+0x389e52 @ 0x6ffc9e52 mscorlib+0x309c30 @ 0x6ff49c30 mscorlib+0x2eb9eb @ 0x6ff2b9eb mscorlib+0x2d7cd5 @ 0x6ff17cd5 mscorlib+0x2d77bd @ 0x6ff177bd mscorlib+0x2d74ff @ 0x6ff174ff mscorlib+0x2d71c3 @ 0x6ff171c3 mscorlib+0x2d48ea @ 0x6ff148ea mscorlib+0x36990b @ 0x6ffa990b 0x420a2c6 0x4209fb7 0x4208fbd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d 0x420021c 0x4200068 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x728da887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1881220 registers.edi: 0 registers.eax: 1881220 registers.ebp: 1881300 registers.edx: 0 registers.ebx: 8244824 registers.esi: 7887208 registers.ecx: 1469171503	1
__exception__ Oct. 14, 2021, 3:39 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x420e60d 0x420d4f7 0x4209fc1 0x4208fbd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d 0x420021c 0x4200068 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x728da887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 1894324 registers.edi: 1990713288 registers.eax: 16777216 registers.ebp: 1894528 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Oct. 14, 2021, 3:39 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x420e60d 0x420d4f7 0x4209fc1 0x4208fbd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d 0x420021c 0x4200068 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x728da887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 1894324 registers.edi: 1990713288 registers.eax: 4194304 registers.ebp: 1894528 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Oct. 14, 2021, 3:39 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x420e60d 0x420d4f7 0x4209fc1 0x4208fbd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d 0x420021c 0x4200068 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x728da887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 1894324 registers.edi: 1990713288 registers.eax: 2228224 registers.ebp: 1894528 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

lplazadtemins.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (33 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0068c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04200000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0069a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0068d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04201000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04202000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04203000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04205000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04206000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04207000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04208000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04209000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 14, 2021, 3:38 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Oct. 14, 2021, 3:39 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0420a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:39 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0420b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:39 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0420c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:39 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0420d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:39 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0420e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:39 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0068a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

ConsoleApp18.exe tried to sleep 241 seconds, actually delayed analysis time by 241 seconds

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0015fc00', u'virtual_address': u'0x00002000', u'entropy': 7.999582402996025, u'name': u'.text', u'virtual_size': u'0x0015fb18'}

entropy

7.999582403

description

A section with a high entropy has been found

entropy

0.818261122419

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 14, 2021, 3:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (19 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 14, 2021, 3:39 p.m.	process_identifier: 1420 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000298	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\notepad

reg_value

"C:\Users\test22\AppData\Local\notepad.exe"

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ª@0îb.cîb.cîb.cZþßcüb.cZþÝcOb.cZþÜcðb.cçªcïb.cpÂécìb.cÕ<-bôb.cÕ<+bÔb.cÕ<*bÌb.cç½cûb.cîb/cÏc.cy<'b±b.c\|<Ñcïb.cy<,bïb.cRichîb.cPEL;Waà 9ü0@ÜpKPÄ8 l8´lXl@0\|.text `.rdatao0p$@@.dataì? @À.tls à¢@À.gfids0ð¤@@.rsrcpKL¨@@.relocÄ8P:ô@B base_address: 0x00400000 process_identifier: 1420 process_handle: 0x00000298	1	1
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ¬tE°wEªtE..p¡F<¶F<¶F<¶F<¶F<¶F<¶F<¶F<¶F<¶Ft¡F@¶F@¶F@¶F@¶F@¶F@¶F@¶Fx¡Fÿÿÿÿ°wE¢F¢F¢F¢F¢Fx¡F0zE°{EEØ¡Fp§FCPSTPDT ¢Fà¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZp§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 1420 process_handle: 0x00000298	1	1
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: base_address: 0x0046e000 process_identifier: 1420 process_handle: 0x00000298	1	1
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: ÙôØ?iÝÝ?ÑÝ?Ùw?zÊ@t@G##ÈÝÞÍ(öÐõ??M- ,ÝWÝÖ±ßú»Þ»Þý »#»{\|QnÊã='¢t¨ÄªX¦-ûÅÁÍÞ¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 1420 process_handle: 0x00000298	1	1
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1420 process_handle: 0x00000298	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ª@0îb.cîb.cîb.cZþßcüb.cZþÝcOb.cZþÜcðb.cçªcïb.cpÂécìb.cÕ<-bôb.cÕ<+bÔb.cÕ<*bÌb.cç½cûb.cîb/cÏc.cy<'b±b.c\|<Ñcïb.cy<,bïb.cRichîb.cPEL;Waà 9ü0@ÜpKPÄ8 l8´lXl@0\|.text `.rdatao0p$@@.dataì? @À.tls à¢@À.gfids0ð¤@@.rsrcpKL¨@@.relocÄ8P:ô@B base_address: 0x00400000 process_identifier: 1420 process_handle: 0x00000298	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Oct. 14, 2021, 3:39 p.m.	thread_identifier: 0 callback_function: 0x00408981 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	3080301	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2220 called NtSetContextThread to modify thread in remote process 1420
NtSetContextThread Oct. 14, 2021, 3:39 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4389945 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000294 process_identifier: 1420	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2220 resumed a thread in remote process 1420
NtResumeThread Oct. 14, 2021, 3:39 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 1420	1	0	0

Executed a process and injected code into it, probably while unpacking (23 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 14, 2021, 3:38 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2220	1	0
NtResumeThread Oct. 14, 2021, 3:38 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2220	1	0
NtResumeThread Oct. 14, 2021, 3:38 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2220	1	0
NtResumeThread Oct. 14, 2021, 3:39 p.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2220	1	0
NtGetContextThread Oct. 14, 2021, 3:39 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Oct. 14, 2021, 3:39 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Oct. 14, 2021, 3:39 p.m.	thread_handle: 0x000000e4	1	0
NtSetContextThread Oct. 14, 2021, 3:39 p.m.	registers.eip: 1920740228 registers.esp: 1881428 registers.edi: 142 registers.eax: 2 registers.ebp: 1881432 registers.edx: 36237496 registers.ebx: 36237496 registers.esi: 8 registers.ecx: 36237496 thread_handle: 0x000000e4 process_identifier: 2220	1	0
NtResumeThread Oct. 14, 2021, 3:39 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2220	1	0
CreateProcessInternalW Oct. 14, 2021, 3:39 p.m.	thread_identifier: 1892 thread_handle: 0x00000294 process_identifier: 1420 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\ConsoleApp18.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000298	1	1
NtGetContextThread Oct. 14, 2021, 3:39 p.m.	thread_handle: 0x00000294	1	0
NtAllocateVirtualMemory Oct. 14, 2021, 3:39 p.m.	process_identifier: 1420 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000298	1	0
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ª@0îb.cîb.cîb.cZþßcüb.cZþÝcOb.cZþÜcðb.cçªcïb.cpÂécìb.cÕ<-bôb.cÕ<+bÔb.cÕ<*bÌb.cç½cûb.cîb/cÏc.cy<'b±b.c\|<Ñcïb.cy<,bïb.cRichîb.cPEL;Waà 9ü0@ÜpKPÄ8 l8´lXl@0\|.text `.rdatao0p$@@.dataì? @À.tls à¢@À.gfids0ð¤@@.rsrcpKL¨@@.relocÄ8P:ô@B base_address: 0x00400000 process_identifier: 1420 process_handle: 0x00000298	1	1
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: base_address: 0x00401000 process_identifier: 1420 process_handle: 0x00000298	1	1
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: base_address: 0x00453000 process_identifier: 1420 process_handle: 0x00000298	1	1
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ¬tE°wEªtE..p¡F<¶F<¶F<¶F<¶F<¶F<¶F<¶F<¶F<¶Ft¡F@¶F@¶F@¶F@¶F@¶F@¶F@¶Fx¡Fÿÿÿÿ°wE¢F¢F¢F¢F¢Fx¡F0zE°{EEØ¡Fp§FCPSTPDT ¢Fà¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZp§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 1420 process_handle: 0x00000298	1	1
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: base_address: 0x0046e000 process_identifier: 1420 process_handle: 0x00000298	1	1
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: ÙôØ?iÝÝ?ÑÝ?Ùw?zÊ@t@G##ÈÝÞÍ(öÐõ??M- ,ÝWÝÖ±ßú»Þ»Þý »#»{\|QnÊã='¢t¨ÄªX¦-ûÅÁÍÞ¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 1420 process_handle: 0x00000298	1	1
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: base_address: 0x00470000 process_identifier: 1420 process_handle: 0x00000298	1	1
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: base_address: 0x00475000 process_identifier: 1420 process_handle: 0x00000298	1	1
WriteProcessMemory Oct. 14, 2021, 3:39 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1420 process_handle: 0x00000298	1	1
NtSetContextThread Oct. 14, 2021, 3:39 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4389945 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000294 process_identifier: 1420	1	0
NtResumeThread Oct. 14, 2021, 3:39 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 1420	1	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	IL:Trojan.MSILZilla.2622
FireEye	Generic.mg.aade455507f66731
ALYac	IL:Trojan.MSILZilla.2622
Cylance	Unsafe
Sangfor	Backdoor.MSIL.Crysan.gen
Alibaba	Backdoor:MSIL/Crysan.61569f43
K7GW	Trojan ( 00588dd71 )
CrowdStrike	win/malicious_confidence_80% (W)
Arcabit	IL:Trojan.MSILZilla.DA3E
BitDefenderTheta	Gen:NN.ZemsilF.34214.Rn0@aOuwwdn
ESET-NOD32	a variant of MSIL/Kryptik.ADDG
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
BitDefender	IL:Trojan.MSILZilla.2622
Avast	Win32:CrypterX-gen [Trj]
Ad-Aware	IL:Trojan.MSILZilla.2622
Emsisoft	IL:Trojan.MSILZilla.2622 (B)
DrWeb	Trojan.DownLoader43.42941
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
Webroot	W32.Malware.Gen
Avira	TR/Dropper.Gen2
Microsoft	Trojan:Win32/Remcos.SD!MTB
ViRobot	Trojan.Win32.Z.Sabsik.1761280
ZoneAlarm	HEUR:Backdoor.MSIL.Crysan.gen
GData	Win32.Backdoor.Remcos.7QJMFI
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MSILZilla.C4699280
McAfee	Artemis!AADE455507F6
MAX	malware (ai score=100)
Malwarebytes	Backdoor.Remcos
TrendMicro-HouseCall	TROJ_GEN.R002H0CJD21
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	PossibleThreat
AVG	Win32:CrypterX-gen [Trj]
Panda	Trj/GdSda.A

ConsoleApp18.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All