Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 16, 2023, 4:14 p.m.	April 16, 2023, 4:33 p.m.

Size	5.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`19b50e116e3708c663672d9c6e5a02f7`
SHA256	`a9b3a6990f77252738e89a4880dba0f331cb151c0dfda1ddd0d5002aa907479e`
CRC32	`595816F0`
ssdeep	`98304:S7B3hoDTBYPaLo4HgOeBdLEIkIT4p2yESDVGo6BImDQxeuEq:S7JC3AGHgOebIIJT4p2yhDVOymDCE`
Yara	mzp_file_format - MZP(Delphi) file format UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check Network_Downloader - File Downloader PE_Header_Zero - PE File Signature IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals Keylogger_Discord - Suspicious keylogging script

s2s.exe "C:\Users\test22\AppData\Local\Temp\s2s.exe"
2560
- rundll32.exe "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2676

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
176.113.115.21	Active	Moloch
86.197.207.96	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 16, 2023, 4:14 p.m.			0	0
IsDebuggerPresent April 16, 2023, 4:14 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptGenKey April 16, 2023, 4:14 p.m.	crypto_handle: 0x0105ea88 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x01047300	1	1
CryptExportKey April 16, 2023, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey April 16, 2023, 4:14 p.m.	buffer: ¤RSA2ñjÌP8ÄÊOîGå·©¥¸ÞJõ4ì³[tÙÜ>À¯UáçÌ+\OþBrAÜþÌBD ÐTdâÛ°Íu²é²c ìýe @E2ÿ'ñÛeïSÃõlÀUµ§¨ÝÇ5r~I÷ë¡»c}7ÂvÂa³Úh¬Ç¬ÀÏó]4}Û§Nnó}NKÉÃNxW@C®¨pB£ÝðÒë lÜµúX¤ W;ö:ÄåíÄ±bG nèË,òxùÀå¶$×c6ÄcbÑÏ´¢ÌFD nR5Ög;âWÒ4Ù¡Åá¥dÌäjªØ-seÈ[Û ÕF"\B[¼å¶¯ÖVÅUvXþZ«²nÝ£pøy´p°Hnö2ù0T°ÐyÅèã¬üÃ`hAý@§«ýÎqÅÒ -hÓ×å/ÈYæâýU©ê¸¼æ9öÛ®R/Áè?6vw °Ç^Ô ¯(@+';®¶²c <úéú{pøÔùj!Å6¢vàwGMÒW£aÄ$8õ;vp'#Ì)¤zó^ë\à4QìMí>¿-§¿÷³In7X81f£6ÈkmOõ5¥aïÑ}_xfÍòêNô®'dH»K£ ¶ÝyämËýÓØjßJP6^Ü)N6ÎÒÿ½pb!rÛõ-£å4UÆ]®é# crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey April 16, 2023, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:14 p.m.	buffer: ¤RSA1ñjÌP8ÄÊOîGå·©¥¸ÞJõ4ì³[tÙÜ>À¯UáçÌ+\OþBrAÜþÌBD ÐTdâÛ°Íu²é²c ìýe @E*2ÿ'ñÛeïSÃõlÀUµ§¨ÝÇ5r~I÷ë¡»c}7ÂvÂ crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey April 16, 2023, 4:14 p.m.	crypto_handle: 0x0105eac8 algorithm_identifier: 0x00006610 () flags: 1 key: f $]T1¦wU»ÛõÇ®û®Ñ$Ì'B°çCßiy'- provider_handle: 0x01047388	1	1
CryptExportKey April 16, 2023, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105eac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 16, 2023, 4:14 p.m.	buffer: f $]T1¦wU»ÛõÇ®û®Ñ$Ì'B°çCßiy'- crypto_handle: 0x0105eac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 16, 2023, 4:14 p.m.	crypto_handle: 0x0105eb08 algorithm_identifier: 0x00006610 () flags: 1 key: f U(:¬W LÁMÁ{yÌó ËÖþ^¹Qf¼Y provider_handle: 0x01047388	1	1
CryptExportKey April 16, 2023, 4:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105eb08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 16, 2023, 4:14 p.m.	buffer: f U(:¬W LÁMÁ{yÌó ËÖþ^¹Qf¼Y crypto_handle: 0x0105eb08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 16, 2023, 4:15 p.m.	crypto_handle: 0x0105ea88 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x01047410	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: ¤RSA2iÁº-×³i.½xRqâ=ÆÈkÓ ºËT+ªÉ®1M4Ùõ§ÕhÝNëÚ{9ûß-ßü2wËj$/b^w)ýÉÒí2¯Þpyvõ áößúz]ãAßb!h\|µ·Ïo9ÕÎnDë1Á#;÷[îÄÿ2ö(ªn`f±´£al~x5ô¹âÕ³ÃfãïE?áÇ48ËNZ¬%©~;µ¤ø`ø6e¨óðÜEëé¨:ißµ&wïàE$ùÙÎ²%úÁOÀXÚ¿ö °W1¢ ªÀµã#èú!äpC9y¾%Êå:Ñ?M]ä $,8[vA½[~Ó¶ðb;Ên´jþ 3y1<3ûí½ÔýùíóQF±_\|¶j/ÓÚÕBCßy>¯¡ü;\þ=óýøuý°üÙ¨J ÓËò ÍÛ>¿+"kÂA$ÁÒgëÄnÜ7-¤Övþd¶HøúöEû<@üâÓå MìÒ8æï#Õë%¿T ¯Jx¢?<¸WêÄÂ÷ØÃ]×}óÙ &±õñ ÿ O¨)D¦Ms¸7vEÂªN&Ùà½r@Ý9*n<fVzó£Eyú J>öã·»ØKNµ Âõv[ÔÌ`Qï^`ÿ ´µ©Xç°ê"ìÖApðNcþÞ}ì°2R;htz»_È= crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: ¤RSA1iÁº-×³i.½xRqâ=ÆÈkÓ ºËT+ªÉ®1M4Ùõ§ÕhÝNëÚ{9ûß-ßü2wËj$/b^w)ýÉÒí2¯Þpyvõ áößúz]ãAßb!h\|µ·Ïo9ÕÎnDë1Á#;÷[îÄ crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey April 16, 2023, 4:15 p.m.	crypto_handle: 0x0105eac8 algorithm_identifier: 0x00006610 () flags: 1 key: f ú¿½J×y·_ÌÃòú'_CØ×kÏâüi°Àbv provider_handle: 0x01047498	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105eac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: f ú¿½J×y·_ÌÃòú'_CØ×kÏâüi°Àbv crypto_handle: 0x0105eac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 16, 2023, 4:15 p.m.	crypto_handle: 0x0105eb08 algorithm_identifier: 0x00006610 () flags: 1 key: f ìyDlQ<â~üYvtO¼ø¸²>ú¹R¡ñ provider_handle: 0x01047498	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105eb08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: f ìyDlQ<â~üYvtO¼ø¸²>ú¹R¡ñ crypto_handle: 0x0105eb08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 16, 2023, 4:15 p.m.	crypto_handle: 0x0105ea88 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x01047520	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: ¤RSA2iÈ¾j8¹JfvîÒÞmåárQåûÉå£ÎÓRa÷!½\|tcfmW©::FêÊ%Þhc 1ßñÅq;¹þf>Ä§Ð6öpFqº[UÃ"°5A¼N÷õ©6Ïs]cyNY/B`BåÕ~×y>£IÄG ¤O`ÕÍO;ÉôL®~NK`ºÞ>Ë¥t+&ª¨ärûRÉc§) _úÝ¥\|ñ²ßwpºñÑÅ~ð 9É¹ø ÎÆdÿÜ0$¦UøB£E±·½§qè9¾ lqy tï· ÏWÐÓµiGWÚ_ÐKYü1rÇÛ]ðy\|M²(TîþÀü#«O8ï©ÀÅD@Òp35/M`0 !Ï.ãÐbÎn¨ò<ñXe(?µ]?kS{?úÜßÚ`9Ï. tH¬l¾êðîo¤·3ÒÕ¹X¯¯1À$½î'ÚºDºÇ1ñ3²Ç-Û¿j\»òÅävK&ì3KävN2ißªí»³¢ßÈ<(\>.XKû`\Ãd±kælvlt PK@ü2Ö±)ÊGyJn`s úT»¢ a²½ÈÙ£eÓçÌñ±ßÒ/8Ã*IôWn4´?]:WoìÖàO\NJGÛ´Ë§¤0ÕÙ<oÝ8wÔ êyprAQÞåaßL crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: ¤RSA1iÈ¾j8¹JfvîÒÞmåárQåûÉå£ÎÓRa÷!½\|tcfmW©::FêÊ%Þhc 1ßñÅq;¹þf>Ä§Ð6öpFqº[UÃ"°5A¼N÷õ©6Ïs]cyNY/B`BåÕ~×y>£IÄG ¤O`Õ crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey April 16, 2023, 4:15 p.m.	crypto_handle: 0x0105eac8 algorithm_identifier: 0x00006610 () flags: 1 key: f 2kßI´ä}¼ç MIMùüô@óú"TK´¼$ô0 provider_handle: 0x010475a8	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105eac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: f 2kßI´ä}¼ç MIMùüô@óú"TK´¼$ô0 crypto_handle: 0x0105eac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 16, 2023, 4:15 p.m.	crypto_handle: 0x0105eb08 algorithm_identifier: 0x00006610 () flags: 1 key: f ¡syáÚÍ ©áÝAQIS"_D\|w®¿7 provider_handle: 0x010475a8	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105eb08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: f ¡syáÚÍ ©áÝAQIS"_D\|w®¿7 crypto_handle: 0x0105eb08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 16, 2023, 4:15 p.m.	crypto_handle: 0x0105ea88 algorithm_identifier: 0x00000001 () flags: 67108865 key: provider_handle: 0x010475a8	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: ¤RSA29A¶rmªJÆoõ£]Ä6>êÐM3øÂû¼C4_ãßáàÉSÀ?ì6¹+0[DÊÖyâ oék^,ÊqÅoÊ¯épã¢EÔhµñ=C pÎ"»hnÝ0KçPÐ7W½$ mkÓ-û-4ªºRºÀ/:Kp¸x×+ÉÒt¿¢3P]Ì¾KþhrðsJ1ð`Wxâñþú°¯:,ü½\}I¢( [Ö¡gKQ±Ìn°ê[iL¡È%g%UQ?R+Ù÷ L¶ÔÂ1?dm,È¡HyÊÖ Æµ¶× ö©R®QUXi<pÇÕñp?ù45í3-Ç×¡áv~TÜ`×-sÇëíOÑÎWtî¢mêdP¼¢¢Öâ¶d×ºfì®Q×àH$nc¬·BS¡rßPj[£®mÆU3eYøKCvÞ<áE8cfQOåßI¹ýýävárc ØïbË¢lt\ÓdéúË¸¨§(_ÂïNÿí¾a³ÈB5,À:Ø ðÔ²GD=]bUGØYB'õÐúá» Ó¯ÕIÅ½iSç²Y¢`AîJ¼ 72T©ñ=N¨Ó½ÓËÊôÊ`6kª^KÓîÂ ÓÈèÉ@/5w0# Ø££$suß\|âUh crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 7	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: ¤RSA19A¶rmªJÆoõ£]Ä6>êÐM3øÂû¼C4_ãßáàÉSÀ?ì6¹+0[DÊÖyâ oék^,ÊqÅoÊ¯épã¢EÔhµñ=C pÎ"»hnÝ0KçP*Ð7W½$ mkÓ crypto_handle: 0x0105ea88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptGenKey April 16, 2023, 4:15 p.m.	crypto_handle: 0x0105eac8 algorithm_identifier: 0x00006610 () flags: 1 key: f KÒGòq«þYUÇ£=Ï ©³¢*e}3}ò yà provider_handle: 0x01047520	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105eac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: f KÒGòq«þYUÇ£=Ï ©³¢*e}3}ò yà crypto_handle: 0x0105eac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptGenKey April 16, 2023, 4:15 p.m.	crypto_handle: 0x0105eb08 algorithm_identifier: 0x00006610 () flags: 1 key: f èÀ:díÔHq!T¨±Ñú¼¹NM31/ provider_handle: 0x01047520	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0105eb08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey April 16, 2023, 4:15 p.m.	buffer: f èÀ:díÔHq!T¨±Ñú¼¹NM31/ crypto_handle: 0x0105eb08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 16, 2023, 4:14 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ April 16, 2023, 4:14 p.m.	stacktrace: RtlUlonglongByteSwap+0x7a9 RtlFreeOemString-0x21131 ntdll+0x7db99 @ 0x76f8db99 EtwGetTraceEnableFlags+0x605 RtlEqualString-0x9e ntdll+0x61d2e @ 0x76f71d2e RtlDecodePointer+0xf7 LdrInitializeThunk-0x1d ntdll+0x39e2c @ 0x76f49e2c LdrInitializeThunk+0x10 RtlInitializeExceptionChain-0x16 ntdll+0x39e59 @ 0x76f49e59 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xc7ada0aa registers.esp: 136969148 registers.edi: 11610120 registers.eax: 0 registers.ebp: 136969176 registers.edx: 1996562560 registers.ebx: 3350044842 registers.esi: 136969164 registers.ecx: 17	1
__exception__ April 16, 2023, 4:14 p.m.	stacktrace: RtlUlonglongByteSwap+0x7a9 RtlFreeOemString-0x21131 ntdll+0x7db99 @ 0x76f8db99 EtwGetTraceEnableFlags+0x605 RtlEqualString-0x9e ntdll+0x61d2e @ 0x76f71d2e RtlDecodePointer+0xf7 LdrInitializeThunk-0x1d ntdll+0x39e2c @ 0x76f49e2c LdrInitializeThunk+0x10 RtlInitializeExceptionChain-0x16 ntdll+0x39e59 @ 0x76f49e59 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xc7ada0aa registers.esp: 139328444 registers.edi: 11610120 registers.eax: 0 registers.ebp: 139328472 registers.edx: 1996562560 registers.ebx: 3350044842 registers.esi: 139328460 registers.ecx: 17	1
__exception__ April 16, 2023, 4:14 p.m.	stacktrace: RtlUlonglongByteSwap+0x7a9 RtlFreeOemString-0x21131 ntdll+0x7db99 @ 0x76f8db99 EtwGetTraceEnableFlags+0x605 RtlEqualString-0x9e ntdll+0x61d2e @ 0x76f71d2e RtlDecodePointer+0xf7 LdrInitializeThunk-0x1d ntdll+0x39e2c @ 0x76f49e2c LdrInitializeThunk+0x10 RtlInitializeExceptionChain-0x16 ntdll+0x39e59 @ 0x76f49e59 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xc7ada0aa registers.esp: 142474172 registers.edi: 11610120 registers.eax: 0 registers.ebp: 142474200 registers.edx: 1996562560 registers.ebx: 3350044842 registers.esi: 142474188 registers.ecx: 17	1
__exception__ April 16, 2023, 4:15 p.m.	stacktrace: RtlUlonglongByteSwap+0x7a9 RtlFreeOemString-0x21131 ntdll+0x7db99 @ 0x76f8db99 RtlValidRelativeSecurityDescriptor+0x23d DbgPrintEx-0x123 ntdll+0x759d0 @ 0x76f859d0 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25 0x7c7e66e s2s+0x4231b7 @ 0x8231b7 s2s+0x43f020 @ 0x83f020 s2s+0x43f31e @ 0x83f31e exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xc7ada0aa registers.esp: 1631064 registers.edi: 11610120 registers.eax: 0 registers.ebp: 1631092 registers.edx: 1996562560 registers.ebx: 3350044842 registers.esi: 1631080 registers.ecx: 17	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 68 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 region_size: 4698112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 region_size: 4698112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 region_size: 4599808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04790000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4612096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f40000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 region_size: 11743232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x073c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f2f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08010000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07e71000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08670000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755c7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08670000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x080ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08144000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08680000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75857000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08680000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x080ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08144000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08690000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75899000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08690000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x080ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08144000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c00000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08c00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x080cf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08144000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 region_size: 11743232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x764b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2023, 4:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74181000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 942 seconds, actually delayed analysis time by 942 seconds

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 16, 2023, 4:14 p.m.	show_type: 0 filepath_r: 111111111111111 parameters: filepath: 111111111111111		0	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (35 events)

Time & API	Arguments	Status	Return
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: smss.exe process_identifier: 224	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: services.exe process_identifier: 444	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: lsass.exe process_identifier: 460	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: pw.exe process_identifier: 988	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: mobsync.exe process_identifier: 2280	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: pw.exe process_identifier: 2324	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: taskhost.exe process_identifier: 2376	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: s2s.exe process_identifier: 2560	1	1
Process32NextW April 16, 2023, 4:14 p.m.	snapshot_handle: 0x00000224 process_name: rundll32.exe process_identifier: 2676	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00480800', u'virtual_address': u'0x000e1000', u'entropy': 7.943917247183398, u'name': u'.rsrc', u'virtual_size': u'0x00480800'}

entropy

7.94391724718

description

A section with a high entropy has been found

entropy

0.839861541264

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

rundll32.exe

Communicates with host for which no DNS query was performed (2 events)

host	176.113.115.21
host	86.197.207.96

Checks the CPU name from registry, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

86.197.207.96:443

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Lionic	Trojan.Win32.Tedy.4!c
MicroWorld-eScan	Gen:Variant.Tedy.340565
ALYac	Gen:Variant.Tedy.340565
VIPRE	Gen:Variant.Tedy.340565
Sangfor	Trojan.Win32.Save.a
Arcabit	Trojan.Tedy.D53255
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Generik.PNAWNO
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Agentb.gen
BitDefender	Gen:Variant.Tedy.340565
Emsisoft	Gen:Variant.Tedy.340565 (B)
F-Secure	Trojan.TR/AD.Nekark.bcmwk
DrWeb	Trojan.PWS.DanaBot.460
McAfee-GW-Edition	BehavesLike.Win32.ObfuscatedPoly.tc
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.19b50e116e3708c6
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Avira	TR/AD.Nekark.bcmwk
MAX	malware (ai score=83)
Antiy-AVL	Trojan/Script.Phonzy
Gridinsoft	Trojan.Win32.Agent.cl
Microsoft	Trojan:Win32/Woreflint.A!cl
ZoneAlarm	HEUR:Trojan.Win32.Agentb.gen
GData	Gen:Variant.Tedy.340565
Google	Detected
AhnLab-V3	Trojan/Win.Agent.C5224738
McAfee	Artemis!19B50E116E37
DeepInstinct	MALICIOUS
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0CDE23
Rising	Trojan.Generic@AI.88 (RDML:lB6N3EMmvvuXSZ1UKmHX2g)
Ikarus	Trojan.SuspectCRC
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
BitDefenderTheta	Gen:NN.ZelphiCO.36132.@JW@aq8xFypi
AVG	Win32:PWSX-gen [Trj]
Avast	Win32:PWSX-gen [Trj]

s2s.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All