Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 16, 2023, 4:14 p.m.	April 16, 2023, 4:20 p.m.

Size	1.7MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`9b329956bf938c36fe12b1524eff3be0`
SHA256	`e188218c37cc8a570fbcdc84e9ac9116c3a8a958c945dbf7fdecdde78ae43480`
CRC32	`06B8CECA`
ssdeep	`24576:mkAgHyFfkacLnDDqWXeI4XI29huCbK4Nkk7tGlU0nDSnIbNk8aq1UZxKwiP2w9+n:dyFfCDDDLe9fFbntGlwsrr+7Lw2yjUlT`
Yara	Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature

Acx_w01.exe "C:\Users\test22\AppData\Local\Temp\Acx_w01.exe"
2576
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\7z63AF8A10\Files\setup.bat" "
  2704
  - regsvr32.exe regsvr32 ./Files/Amox.dll /s
    2792
    - powershell.exe powershell Add-MpPreference -ExclusionPath C:\
      2864
    - powershell.exe powershell Remove-MpPreference -ExclusionPath C:\
      2972

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
117.18.232.200	Active	Moloch
140.99.221.199	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2023, 4:15 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:15 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 92 events)

Time & API	Arguments	Status	Return
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000241b20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca040 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca040 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca040 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca040 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca040 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9cc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9cc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9cc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9cc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca900 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca900 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca900 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9cc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9cc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9cc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9cc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9cc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9cc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9cc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9cc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca900 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca900 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca900 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002ca4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9cc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002c9cc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002caa50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002caa50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002caa50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002b06b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002b06b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002b06b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002b06b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b91bb40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b91bb40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b91c080 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b91c080 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002b0480 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002b0480 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002b0480 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002b0480 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000359a20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b59f4b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b59f4b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b59f4b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 16, 2023, 4:14 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: 0x2112eb6 0x1eecd0 0x2110000 0x18e018 0x2178faf 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a exception.instruction_r: 48 8b cb e8 c2 ce 06 00 48 8d 4c 24 28 e8 ca ce exception.instruction: mov rcx, rbx exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x2112eb6 registers.r14: 8791597056000 registers.r15: 0 registers.rcx: 1628448 registers.rsi: 34668544 registers.r10: 0 registers.rbx: 2026704 registers.rsp: 1630040 registers.r11: 810321224 registers.r8: 53 registers.r9: 810321224 registers.rdx: 4267291448 registers.r12: 3236690 registers.rbp: 3236690 registers.rdi: 1630232 registers.rax: 1996454721 registers.r13: 3236724	1	0	0
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a 0x1db1633a exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x1db1633a registers.r14: 8791597056000 registers.r15: 0 registers.rcx: 1628448 registers.rsi: 34668544 registers.r10: 0 registers.rbx: 2026704 registers.rsp: 1630040 registers.r11: 810321224 registers.r8: 53 registers.r9: 810321224 registers.rdx: 4267291448 registers.r12: 3236690 registers.rbp: 3236690 registers.rdi: 1630232 registers.rax: 1996454721 registers.r13: 3236724	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 16, 2023, 4:15 p.m.

stacktrace:

0x2112eb6
0x1eecd0
0x2110000
0x18e018
0x2178faf
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a

exception.instruction_r: 48 8b cb e8 c2 ce 06 00 48 8d 4c 24 28 e8 ca ce
exception.instruction: mov rcx, rbx
exception.exception_code: 0x80000004
exception.symbol:
exception.address: 0x2112eb6
registers.r14: 8791597056000
registers.r15: 0
registers.rcx: 1628448
registers.rsi: 34668544
registers.r10: 0
registers.rbx: 2026704
registers.rsp: 1630040
registers.r11: 810321224
registers.r8: 53
registers.r9: 810321224
registers.rdx: 4267291448
registers.r12: 3236690
registers.rbp: 3236690
registers.rdi: 1630232
registers.rax: 1996454721
registers.r13: 3236724

__exception__

April 16, 2023, 4:15 p.m.

stacktrace:

0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a
0x1db1633a

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x1db1633a
registers.r14: 8791597056000
registers.r15: 0
registers.rcx: 1628448
registers.rsi: 34668544
registers.r10: 0
registers.rbx: 2026704
registers.rsp: 1630040
registers.r11: 810321224
registers.r8: 53
registers.r9: 810321224
registers.rdx: 4267291448
registers.r12: 3236690
registers.rbp: 3236690
registers.rdi: 1630232
registers.rax: 1996454721
registers.r13: 3236724

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (27 events)

Time & API	Arguments	Status	Return
bind April 16, 2023, 4:15 p.m.	ip_address: 127.0.0.1 socket: 268 port: 0	1	0
listen April 16, 2023, 4:15 p.m.	socket: 268 backlog: 1	1	0
accept April 16, 2023, 4:15 p.m.	ip_address: socket: 268 port: 0	1	276
bind April 16, 2023, 4:15 p.m.	ip_address: 127.0.0.1 socket: 332 port: 0	1	0
listen April 16, 2023, 4:15 p.m.	socket: 332 backlog: 1	1	0
accept April 16, 2023, 4:15 p.m.	ip_address: socket: 332 port: 0	1	348
bind April 16, 2023, 4:15 p.m.	ip_address: 127.0.0.1 socket: 360 port: 0	1	0
listen April 16, 2023, 4:15 p.m.	socket: 360 backlog: 1	1	0
accept April 16, 2023, 4:15 p.m.	ip_address: socket: 360 port: 0	1	368
bind April 16, 2023, 4:15 p.m.	ip_address: 127.0.0.1 socket: 380 port: 0	1	0
listen April 16, 2023, 4:15 p.m.	socket: 380 backlog: 1	1	0
accept April 16, 2023, 4:15 p.m.	ip_address: socket: 380 port: 0	1	388
bind April 16, 2023, 4:15 p.m.	ip_address: 127.0.0.1 socket: 400 port: 0	1	0
listen April 16, 2023, 4:15 p.m.	socket: 400 backlog: 1	1	0
accept April 16, 2023, 4:15 p.m.	ip_address: socket: 400 port: 0	1	408
bind April 16, 2023, 4:15 p.m.	ip_address: 127.0.0.1 socket: 316 port: 0	1	0
listen April 16, 2023, 4:15 p.m.	socket: 316 backlog: 1	1	0
accept April 16, 2023, 4:15 p.m.	ip_address: socket: 316 port: 0	1	416
bind April 16, 2023, 4:15 p.m.	ip_address: 127.0.0.1 socket: 428 port: 0	1	0
listen April 16, 2023, 4:15 p.m.	socket: 428 backlog: 1	1	0
accept April 16, 2023, 4:15 p.m.	ip_address: socket: 428 port: 0	1	436
bind April 16, 2023, 4:15 p.m.	ip_address: 127.0.0.1 socket: 448 port: 0	1	0
listen April 16, 2023, 4:15 p.m.	socket: 448 backlog: 1	1	0
accept April 16, 2023, 4:15 p.m.	ip_address: socket: 448 port: 0	1	456
bind April 16, 2023, 4:15 p.m.	ip_address: 127.0.0.1 socket: 468 port: 0	1	0
listen April 16, 2023, 4:15 p.m.	socket: 468 backlog: 1	1	0
accept April 16, 2023, 4:15 p.m.	ip_address: socket: 468 port: 0	1	476

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	HEAD http://140.99.221.199/w01
suspicious_features	Connection to IP address				suspicious_request	GET http://140.99.221.199/w01

Performs some HTTP requests (2 events)

request	HEAD http://140.99.221.199/w01
request	GET http://140.99.221.199/w01

Allocates read-write-execute memory (usually to unpack itself) (50 out of 354 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef405e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd6c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd7c3000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefaacb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002910000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef31a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef341e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef341e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef341f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef341f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef341f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef341f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef341f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef341f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef341f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef341f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3420000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3420000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3420000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3420000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3420000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3421000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3421000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3421000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3421000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef341e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00052000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002ab2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002ab4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0011a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00053000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00054000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00142000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0011d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00102000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00055000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00056000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00143000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:15 p.m.	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\7z63AF8A10\Files\setup.bat
file	C:\Users\test22\AppData\Local\Temp\7z63AF8A10\Files\Amox.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 16, 2023, 4:15 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000000000000120 filepath: C:\Windows\Temp\6quf3_2792.sys desired_access: 0x001f01ff (FILE_READ_DATA\|FILE_READ_ATTRIBUTES\|FILE_READ_EA\|FILE_WRITE_DATA\|FILE_WRITE_ATTRIBUTES\|FILE_WRITE_EA\|FILE_APPEND_DATA\|FILE_EXECUTE\|FILE_LIST_DIRECTORY\|FILE_TRAVERSE\|STANDARD_RIGHTS_ALL\|STANDARD_RIGHTS_REQUIRED\|DELETE\|READ_CONTROL\|WRITE_DAC\|WRITE_OWNER\|SYNCHRONIZE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Windows\Temp\6quf3_2792.sys create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 7 (FILE_SHARE_READ\|FILE_SHARE_WRITE\|FILE_SHARE_DELETE)	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\7z63AF8A10\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell Add-MpPreference -ExclusionPath C:\
cmdline	powershell Remove-MpPreference -ExclusionPath C:\
cmdline	regsvr32 ./Files/Amox.dll /s

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 16, 2023, 4:14 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\7z63AF8A10\Files\setup.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\7z63AF8A10\Files\setup.bat	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 16, 2023, 4:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 16, 2023, 4:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Users\test22\AppData\Local\Temp\7z63AF8A10\Files\setup.bat

Communicates with host for which no DNS query was performed (2 events)

host	117.18.232.200
host	140.99.221.199

Installs itself for autorun at Windows startup (1 event)

service_name

6quf3_2792

service_path

C:\Windows\Temp\6quf3_2792.sys

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA April 16, 2023, 4:15 p.m.	service_start_name: start_type: 1 password: display_name: 6quf3_2792 filepath: C:\Windows\Temp\6quf3_2792.sys service_name: 6quf3_2792 filepath_r: C:\Windows\Temp\6quf3_2792.sys desired_access: 983551 service_handle: 0x00000000002010f0 error_control: 1 service_type: 1 service_manager_handle: 0x00000000002011e0	1	2101488	0

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\7z63AF8A10\Files\setup.bat

The process powershell.exe wrote an executable file to disk (19 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

MicroWorld-eScan	Trojan.GenericKD.66434011
FireEye	Trojan.GenericKD.66434011
McAfee	Artemis!9B329956BF93
Cylance	unsafe
Sangfor	Trojan.Win32.Agent.Vd95
CrowdStrike	win/grayware_confidence_60% (D)
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Generik.MDFZPMG
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.66434011
Avast	Win64:TrojanX-gen [Trj]
Sophos	Mal/Generic-S
F-Secure	Heuristic.HEUR/AGEN.1301936
DrWeb	Trojan.Siggen20.37449
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.66434011 (B)
Ikarus	Trojan.Win64.Agent
Avira	HEUR/AGEN.1301936
Gridinsoft	Ransom.Win64.Sabsik.sa
Microsoft	Trojan:Script/Phonzy.C!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKD.66434011
Google	Detected
MAX	malware (ai score=88)
Fortinet	W32/PossibleThreat
AVG	Win64:TrojanX-gen [Trj]
DeepInstinct	MALICIOUS

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.56.101:49178

Acx_w01.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All