Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 29, 2022, 11:50 a.m.	Nov. 29, 2022, 11:54 a.m.

Size	12.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`53e334e1dc87b596d5a47fc24ecb7551`
SHA256	`8202ba56a591ceb1f3cf497f31d9da7d5d897a59656640b16a0e442ae1190e22`
CRC32	`F7BFD996`
ssdeep	`196608:MmZwQ5AeUu9H9qfZNvYzhsch7stnb2I34hGOCGTW4+MKX:JZwQ5A09dqfZizh3hAT34hGOCGW4`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file

DS.exe "C:\Users\test22\AppData\Local\Temp\DS.exe"
416

Name	Response	Post-Analysis Lookup
pv.sohu.com	A 150.109.223.49 CNAME 2iyme7oy.e0.sched.ovscdns.com A 150.109.222.99 A 150.109.222.97 CNAME pv.sohu.com.dsa.dnsv1.com A 150.109.222.103 A 150.109.222.102	211.152.133.19
www.ip138.com	A 61.110.197.11 CNAME www.ip138.com.lxdns.com	61.110.197.11
2022.ip138.com	A 61.110.197.11 CNAME 2022.ip138.com.wsglb0.com	61.110.197.11

IP Address	Status	Action
150.109.222.97	Active	Moloch
164.124.101.2	Active	Moloch
43.154.131.186	Active	Moloch
61.110.197.11	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 61.110.197.11:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49165 61.110.197.11:443	C=US, O=DigiCert Inc, CN=DigiCert Basic RSA CN CA G2	C=CN, ST=福建省, L=厦门市, O=网宿科技股份有限公司厦门分公司, CN=default.chinanetcenter.com	e8:03:33:5c:51:55:27:6a:aa:32:35:20:46:a9:6f:ab:09:cb:c6:c2

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 29, 2022, 11:45 a.m.			0	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	TEXTINCLUDE
resource name	WAVE

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (4 events)

request	GET http://pv.sohu.com/cityjson
request	GET http://www.ip138.com/
request	GET http://2022.ip138.com/
request	GET https://www.ip138.com/

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 29, 2022, 11:45 a.m.	process_identifier: 416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Nov. 29, 2022, 11:45 a.m.	total_number_of_free_bytes: 9922633728 free_bytes_available: 9922633728 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (50 out of 70 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d43f78

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d43f78

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d43f78

size

0x00000151

name

WAVE

language

LANG_CHINESE

filetype

RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 22050 Hz

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d49060

size

0x00001448

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d4a5f8

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d4a5f8

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d4a5f8

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d4a5f8

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d4a5f8

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d4a5f8

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d4a5f8

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d4a5f8

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d4a5f8

size

0x00000134

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d465e0

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d455a8

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d455a8

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d450f0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d450f0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d450f0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d450f0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d450f0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d450f0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d450f0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d450f0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d450f0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d450f0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d450f0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d450f0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d450f0

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d450f0

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d46ff8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d46ff8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00d46ff8

size

0x00000024

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00928000', u'virtual_address': u'0x002af000', u'entropy': 7.748678098607842, u'name': u'.rdata', u'virtual_size': u'0x009276e8'}

entropy

7.74867809861

description

A section with a high entropy has been found

entropy

0.720565631725

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

43.154.131.186

Queries information on disks, possibly for anti-virtualization (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Nov. 29, 2022, 11:45 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x000001c0 filepath: \??\PhysicalDrive0 desired_access: 0x00100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 0 (FILE_SUPERSEDED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0	0
DeviceIoControl Nov. 29, 2022, 11:45 a.m.	input_buffer: control_code: 2954240 () device_handle: 0x000001c0 output_buffer: (§	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Generic.4!c
tehtris	Generic.Malware
FireEye	Generic.mg.53e334e1dc87b596
McAfee	Artemis!53E334E1DC87
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.ins
K7AntiVirus	Trojan ( 005246d51 )
K7GW	Trojan ( 005246d51 )
Cybereason	malicious.d9cfea
BitDefenderTheta	Gen:NN.ZexaF.36106.@tW@aC9ZBhcH
Cyren	W32/Trojan.CLL.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.FlyStudio.AA potentially unwanted
APEX	Malicious
ClamAV	Win.Malware.Trojanx-9951053-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	Win32:MalwareX-gen [Trj]
Sophos	Generic ML PUA (PUA)
Comodo	TrojWare.Win32.Agent.OSCF@5rs7jr
McAfee-GW-Edition	BehavesLike.Win32.Dropper.rc
SentinelOne	Static AI - Malicious PE
Webroot	W32.Malware.Gen
Google	Detected
Antiy-AVL	Trojan/Win32.FlyStudio.a
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
GData	Win32.Trojan.PSE.18JA6Q4
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C5242352
Acronis	suspicious
VBA32	BScope.Adware.Agent
Malwarebytes	Generic.Crypt.Trojan.Malicious.DDS
TrendMicro-HouseCall	TROJ_GEN.R002H0CKS22
Rising	Trojan.MalCert!1.DEC0 (CLASSIC)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/CoinMiner.65CA!tr
AVG	Win32:MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (D)

DS.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All